WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
226527
Nullptr crash in CompositeEditCommand::splitTreeToNode via InsertParagraphSeparatorCommand::doApply
https://bugs.webkit.org/show_bug.cgi?id=226527
Summary
Nullptr crash in CompositeEditCommand::splitTreeToNode via InsertParagraphSep...
Ryosuke Niwa
Reported
2021-06-02 00:58:42 PDT
Created
attachment 430323
[details]
Test e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000016919381f WebCore::Node::ref() const + 0 (Node.h:780) [inlined] 1 com.apple.WebCore 0x000000016919381f WTF::DefaultRefDerefTraits<WebCore::Node>::refIfNotNull(WebCore::Node*) + 0 (RefPtr.h:36) [inlined] 2 com.apple.WebCore 0x000000016919381f WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::RefPtr(WebCore::Node*) + 0 (RefPtr.h:63) [inlined] 3 com.apple.WebCore 0x000000016919381f WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::RefPtr(WebCore::Node*) + 0 (RefPtr.h:63) [inlined] 4 com.apple.WebCore 0x000000016919381f WTF::RefPtr<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >::operator=(WebCore::Node*) + 0 (RefPtr.h:153) [inlined] 5 com.apple.WebCore 0x000000016919381f WebCore::CompositeEditCommand::splitTreeToNode(WebCore::Node&, WebCore::Node&, bool) + 79 (CompositeEditCommand.cpp:1751) 6 com.apple.WebCore 0x00000001691e584a WebCore::InsertParagraphSeparatorCommand::doApply() + 6746 (InsertParagraphSeparatorCommand.cpp:396) 7 com.apple.WebCore 0x000000016918d508 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand, WTF::RawPtrTraits<WebCore::EditCommand> >&&) + 40 (CompositeEditCommand.cpp:488) 8 com.apple.WebCore 0x000000016918da39 WebCore::CompositeEditCommand::insertParagraphSeparator(bool, bool) + 89 (CompositeEditCommand.cpp:529) 9 com.apple.WebCore 0x00000001691fc0eb WebCore::ReplaceSelectionCommand::doApply() + 14203 (ReplaceSelectionCommand.cpp:1426) 10 com.apple.WebCore 0x000000016917c7c7 WebCore::CompositeEditCommand::apply() + 167 (CompositeEditCommand.cpp:397) 11 com.apple.WebCore 0x00000001691b1034 WebCore::Editor::replaceSelectionWithFragment(WebCore::DocumentFragment&, WebCore::Editor::SelectReplacement, WebCore::Editor::SmartReplace, WebCore::Editor::MatchStyle, WebCore::EditAction, WebCore::MailBlockquoteHandling) + 868 (Editor.cpp:698) 12 com.apple.WebCore 0x00000001691b17f6 WebCore::Editor::replaceSelectionWithText(WTF::String const&, WebCore::Editor::SelectReplacement, WebCore::Editor::SmartReplace, WebCore::EditAction) + 118 (Editor.cpp:741) 13 com.apple.WebCore 0x00000001691b0c69 WebCore::Editor::handleTextEvent(WebCore::TextEvent&) + 201 (Editor.cpp:349) 14 com.apple.WebCore 0x000000016967de6f WebCore::EventHandler::defaultTextInputEventHandler(WebCore::TextEvent&) + 31 (EventHandler.cpp:4161) 15 com.apple.WebCore 0x00000001690e8ef3 WebCore::callDefaultEventHandlersInBubblingOrder(WebCore::Event&, WebCore::EventPath const&) + 39 (EventDispatcher.cpp:63) [inlined] 16 com.apple.WebCore 0x00000001690e8ef3 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1763 (EventDispatcher.cpp:204) 17 com.apple.WebCore 0x00000001691b3429 WebCore::Editor::pasteAsPlainText(WTF::String const&, bool) + 217 (Editor.cpp:621) 18 com.apple.WebCore 0x00000001691b3839 WebCore::Editor::pasteAsPlainTextWithPasteboard(WebCore::Pasteboard&) + 361 (Editor.cpp:641) 19 com.apple.WebCore 0x00000001691ba97c WebCore::Editor::pasteAsPlainText(WebCore::Editor::FromMenuOrKeyBinding) + 412 (Editor.cpp:1493) 20 com.apple.WebCore 0x00000001691dc3a3 WebCore::executePasteAndMatchStyle(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 51 (EditorCommand.cpp:935) 21 com.apple.WebCore 0x00000001690ac0fc WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 76 (Document.cpp:5758) 22 com.apple.WebCore 0x000000016836af76 WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) + 218 (JSDocument.cpp:5869) [inlined] 23 com.apple.WebCore 0x000000016836af76 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 392 (JSDOMOperation.h:55) [inlined] 24 com.apple.WebCore 0x000000016836af76 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 422 (JSDocument.cpp:5874) <
rdar://78561736
>
Attachments
Test
(298 bytes, text/html)
2021-06-02 00:58 PDT
,
Ryosuke Niwa
no flags
Details
Patch
(6.53 KB, patch)
2021-06-02 08:29 PDT
,
Frédéric Wang (:fredw)
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Frédéric Wang (:fredw)
Comment 1
2021-06-02 08:20:11 PDT
Below is the state of the tree before it crashes, where the divs are display: table. This is fixed by
attachment 430342
[details]
from
bug 224977
. #document 0x61f00001dc80 (renderer 0x6160003ce480) HTML 0x60c0002a6880 (renderer 0x61200007da40) DIV 0x60c0002abb00 (renderer 0x61400007bc40) * #text 0x60b0000e8c70 "onload = () => { document.execCommand('SelectAll'); document.execCommand('Copy'); document.execCommand('SelectAll'); document.designMode = 'on'; document.execCommand('PasteAndMatchStyle'); };" DIV 0x60c0002b3600 (renderer 0x61400007c240) BR 0x60c0002b3900 (renderer 0x6110001d5640) BODY 0x60c0002a7600 (renderer 0x61200007e040) STYLE 0x610000024140 (renderer (nil)) #text 0x60b0000e6ee0 "\n head, script, div {\n display: table;\n }\n"
Frédéric Wang (:fredw)
Comment 2
2021-06-02 08:29:43 PDT
Created
attachment 430360
[details]
Patch
EWS
Comment 3
2021-06-08 00:36:05 PDT
Committed
r278593
(
238583@main
): <
https://commits.webkit.org/238583@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 430360
[details]
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug