Bug 224518 - Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCommand::removeRedundantBlocks
Summary: Nullptr deref in CompositeEditCommand::isRemovableBlock in DeleteSelectionCom...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-04-13 16:43 PDT by Ian Gilbert
Modified: 2021-04-16 17:57 PDT (History)
4 users (show)

See Also:

Attachments
Patch (4.33 KB, patch)
2021-04-13 17:08 PDT, Ian Gilbert 		no flags Details | Formatted Diff | Diff
Patch (4.15 KB, patch)
2021-04-15 16:49 PDT, Ian Gilbert 		no flags Details | Formatted Diff | Diff
Patch (4.23 KB, patch)
2021-04-16 13:35 PDT, Ian Gilbert 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ian Gilbert 2021-04-13 16:43:44 PDT 
removeRedundantBlocks() may run into a null pointer while iterating over the tree, if the tree is unexpectedly modified during the execution of a command. Adding null check to quit this step if a parent node cannot be resolved.
Comment 1 Ian Gilbert 2021-04-13 16:44:14 PDT 
<rdar://problem/76264118>
Comment 2 Ian Gilbert 2021-04-13 17:08:43 PDT 
Created attachment 425933 [details]
Patch
Comment 3 Ryosuke Niwa 2021-04-13 18:26:45 PDT 
Comment on attachment 425933 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425933&action=review

> Source/WebCore/editing/DeleteSelectionCommand.cpp:869
> +    RefPtr<Node> node = makeRefPtr(m_endingPosition.containerNode());
> +    RefPtr<Node> rootNode = makeRefPtr(node->rootEditableElement());

Use auto?

> Source/WebCore/editing/DeleteSelectionCommand.cpp:871
> +    while (node && (node != rootNode)) {

We don't usually nest parentheses like this.

> Source/WebCore/editing/DeleteSelectionCommand.cpp:877
> -            node = m_endingPosition.anchorNode();
> +            node = makeRefPtr(m_endingPosition.anchorNode());

No need to call makeRefPtr since node is already of type RefPtr<Node>.

> Source/WebCore/editing/DeleteSelectionCommand.cpp:879
> -            node = node->parentNode();
> +            node = makeRefPtr(node->parentNode());

Ditto.

> LayoutTests/editing/execCommand/remove-node-during-command-crash.html:24
> +    document.write('PASS')

Missing semicolon at the end.
Also, can we say that this test passes if WebKit doesn't crash?
Comment 4 Ian Gilbert 2021-04-15 16:49:41 PDT 
Created attachment 426154 [details]
Patch
Comment 5 Ian Gilbert 2021-04-15 16:53:39 PDT 
Tried to add the text to the test body saying the test passes if it doesn't crash but it either would stop the test from reproducing, or would get eaten by the command. Hopefully that is appropriate.
Comment 6 Ryosuke Niwa 2021-04-15 16:56:42 PDT 
Comment on attachment 426154 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=426154&action=review

> Source/WebCore/ChangeLog:3
> +        Editing null pointer dereference while resolving command

I've just renamed the bug. Please update the title here. It's overly generic.
Sorry I didn't notice earlier.

> LayoutTests/ChangeLog:3
> +        Editing null pointer dereference while resolving command

Ditto.

> LayoutTests/ChangeLog:8
> +        Add regression test.

Nit: Add *a* regression test.
Comment 7 Ian Gilbert 2021-04-16 13:35:51 PDT 
Created attachment 426267 [details]
Patch
Comment 8 Ryosuke Niwa 2021-04-16 13:37:40 PDT 
Let's at least wait for the stress EWS to make sure the new test isn't flaky, etc...
Comment 9 EWS 2021-04-16 17:57:30 PDT 
Committed r276186 (236668@main): <https://commits.webkit.org/236668@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 426267 [details].