RESOLVED FIXED226398
Crash in HTMLConverter::_addLinkForElement() 
https://bugs.webkit.org/show_bug.cgi?id=226398
Summary Crash in HTMLConverter::_addLinkForElement()
Julian Gonzalez
Reported 2021-05-28 14:44:44 PDT
e.g. 0 HTMLConverter::_addLinkForElement(WebCore::Element&, _NSRange)+1430 1 HTMLConverter::_exitElement(WebCore::Element&, long, unsigned long)+391 2 HTMLConverter::_traverseNode(WebCore::Node&, unsigned int, bool)+850 3 HTMLConverter::_traverseNode(WebCore::Node&, unsigned int, bool)+1166 4 HTMLConverter::_traverseNode(WebCore::Node&, unsigned int, bool)+1166 5 HTMLConverter::convert()+362 6 WebCore::attributedString(WebCore::SimpleRange const&)+275 7 WebCore::selectionAsAttributedString(WebCore::Document const&)+286 8 WebCore::Editor::writeSelectionToPasteboard(WebCore::Pasteboard&)+334 9 WebCore::Editor::performCutOrCopy(WebCore::Editor::EditorActionSpecifier)+1402 <rdar://problem/78216316>
Attachments
Patch (3.74 KB, patch)
2021-05-28 14:49 PDT, Julian Gonzalez 		no flags
DetailsFormatted DiffDiff
Patch (4.10 KB, patch)
2021-06-02 15:29 PDT, Julian Gonzalez 		no flags
DetailsFormatted DiffDiff
Patch (3.58 KB, patch)
2021-06-02 19:15 PDT, Julian Gonzalez 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Julian Gonzalez
Comment 1 2021-05-28 14:49:35 PDT
Created attachment 430058 [details] Patch
Ryosuke Niwa
Comment 2 2021-05-29 11:28:13 PDT
Comment on attachment 430058 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=430058&action=review > Source/WebCore/editing/cocoa/HTMLConverter.mm:2219 > - _exitElement(element, depth, startIndex); > + if (startIndex <= [_attrStr length]) It seems that we don't even want to call _processElement when this condition isn't met?
Julian Gonzalez
Comment 3 2021-06-01 11:16:42 PDT
(In reply to Ryosuke Niwa from comment #2) > Comment on attachment 430058 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=430058&action=review > > > Source/WebCore/editing/cocoa/HTMLConverter.mm:2219 > > - _exitElement(element, depth, startIndex); > > + if (startIndex <= [_attrStr length]) > > It seems that we don't even want to call _processElement when this condition > isn't met? When the call to _processElement happens, startIndex is within the bounds of [_attrStr length]. The operations inside the else block right above here cause this condition to be violated (this code assuming that [_attrStr length] does not change is the bug).
Ryosuke Niwa
Comment 4 2021-06-02 02:04:06 PDT
Comment on attachment 430058 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=430058&action=review >>> Source/WebCore/editing/cocoa/HTMLConverter.mm:2219 >>> + if (startIndex <= [_attrStr length]) >> >> It seems that we don't even want to call _processElement when this condition isn't met? > > When the call to _processElement happens, startIndex is within the bounds of [_attrStr length]. The operations inside the else block right above here cause this condition to be violated (this code assuming that [_attrStr length] does not change is the bug). I see. In that case, I think we just need to adjust startIndex instead of avoid calling _exitElement. > LayoutTests/editing/pasteboard/cut-paste-mouse-event.html:9 > +function styleonload() { Can we call this runTest or something? > LayoutTests/editing/pasteboard/cut-paste-mouse-event.html:12 > + document.createEvent("MouseEvent").initMouseEvent("1", document.execCommand("paste", false), 0, null, 0, document.execCommand("cut", false)); Surely creating MouseEvent is nothing to do with this crash? As far as I just tested, this should work: document.execCommand("selectAll", false); document.execCommand("createLink", false, "test"); document.execCommand("cut", false);
Julian Gonzalez
Comment 5 2021-06-02 15:29:07 PDT
Created attachment 430412 [details] Patch
Ryosuke Niwa
Comment 6 2021-06-02 16:11:42 PDT
Comment on attachment 430412 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=430412&action=review > Source/WebCore/editing/cocoa/HTMLConverter.mm:-2201 > - NSUInteger startIndex = [_attrStr length]; Oh neat.
Ryosuke Niwa
Comment 7 2021-06-02 17:41:17 PDT
WK1 failures looks real: --- /Volumes/Data/worker/macOS-Catalina-Release-WK1-Tests-EWS/build/layout-test-results/editing/mac/attributed-string/anchor-element-expected.txt +++ /Volumes/Data/worker/macOS-Catalina-Release-WK1-Tests-EWS/build/layout-test-results/editing/mac/attributed-string/anchor-element-actual.txt @@ -27,7 +27,6 @@ NSColor: #0000ee (sRGB) NSFont: Times-Roman 16.00 pt. NSKern: 0pt - NSLink: https://webkit.org/ NSStrokeColor: #0000ee (sRGB) NSStrokeWidth: 0 NSUnderline: true
Ryosuke Niwa
Comment 8 2021-06-02 17:44:49 PDT
Comment on attachment 430412 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=430412&action=review > Source/WebCore/editing/cocoa/HTMLConverter.mm:2218 > - _exitElement(element, depth, startIndex); > + _exitElement(element, depth, [_attrStr length]); Oh, this isn't quite right. startIndex is named so because we're adding more stuff to _attrStr. What's wrong with the existing code is that startIndex can be less than [_attrStr length]. So I think we need to use std::min(startIndex, [_attrStr length]) here.
Ryosuke Niwa
Comment 9 2021-06-02 17:45:09 PDT
Comment on attachment 430412 [details] Patch r- because of the aforementioned WK1 test failures.
Julian Gonzalez
Comment 10 2021-06-02 19:15:21 PDT
Created attachment 430434 [details] Patch
Ryosuke Niwa
Comment 11 2021-06-02 20:51:51 PDT
Let's wait for other EWSs to catch up.
EWS
Comment 12 2021-06-03 00:09:36 PDT
Committed r278398 (238423@main): <https://commits.webkit.org/238423@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 430434 [details].
Note You need to log in before you can comment on or make changes to this bug.