229277 – Nullptr crash in TypingCommand::willAddTypingToOpenCommand via TypingCommand::deleteKeyPressed

Bug 229277 - Nullptr crash in TypingCommand::willAddTypingToOpenCommand via TypingCommand::deleteKeyPressed

Summary: Nullptr crash in TypingCommand::willAddTypingToOpenCommand via TypingCommand:...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	HTML Editing (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-08-18 20:40 PDT by Ryosuke Niwa
Modified:	2021-09-05 09:19 PDT (History)
CC List:	10 users (show)

See Also:

Attachments
Test (376 bytes, text/html) 2021-08-18 20:40 PDT, Ryosuke Niwa	no flags	Details
Patch (3.96 KB, patch) 2021-08-24 08:24 PDT, Rob Buis	no flags	Details \| Formatted Diff \| Diff
Patch (6.77 KB, patch) 2021-08-30 07:44 PDT, Rob Buis	no flags	Details \| Formatted Diff \| Diff
Patch (6.76 KB, patch) 2021-08-31 00:25 PDT, Rob Buis	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2021-08-18 20:40:23 PDT

Created attachment 435836 [details]
Test

e.g.

#0 0x14afd5252 in WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >::Ref(WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> > const&)+0x42 (WebCore.framework/Versions/A/WebCore:x86_64+0xf57252)
#1 0x14afd5208 in WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >::Ref(WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> > const&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xf57208)
#2 0x14afd518e in WebCore::BoundaryPoint::BoundaryPoint(WebCore::BoundaryPoint const&)+0x1e (WebCore.framework/Versions/A/WebCore:x86_64+0xf5718e)
#3 0x14afd5168 in WebCore::BoundaryPoint::BoundaryPoint(WebCore::BoundaryPoint const&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xf57168)
#4 0x14afd5901 in WebCore::SimpleRange::SimpleRange(WebCore::SimpleRange const&)+0x21 (WebCore.framework/Versions/A/WebCore:x86_64+0xf57901)
#5 0x14afd4c98 in WebCore::SimpleRange::SimpleRange(WebCore::SimpleRange const&)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xf56c98)
#6 0x14d9ac471 in WebCore::StaticRange::create(WebCore::SimpleRange const&)+0xc1 (WebCore.framework/Versions/A/WebCore:x86_64+0x392e471)
#7 0x14db91d7c in WebCore::TypingCommand::willAddTypingToOpenCommand(WebCore::TypingCommand::ETypingCommand, WebCore::TextGranularity, WTF::String const&, std::__1::optional<WebCore::SimpleRange> const&)+0x22c (WebCore.framework/Versions/A/WebCore:x86_64+0x3b13d7c)
#8 0x14db8cdee in WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity, bool)+0x8be (WebCore.framework/Versions/A/WebCore:x86_64+0x3b0edee)
#9 0x14db90f4e in WebCore::TypingCommand::doApply()+0x1be (WebCore.framework/Versions/A/WebCore:x86_64+0x3b12f4e)
#10 0x14da353c6 in WebCore::CompositeEditCommand::apply()+0x216 (WebCore.framework/Versions/A/WebCore:x86_64+0x39b73c6)
#11 0x14db8c27b in WebCore::TypingCommand::deleteKeyPressed(WebCore::Document&, unsigned int, WebCore::TextGranularity)+0x29b (WebCore.framework/Versions/A/WebCore:x86_64+0x3b0e27b)
#12 0x14db05dae in WebCore::executeDelete(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&)+0xde (WebCore.framework/Versions/A/WebCore:x86_64+0x3a87dae)
#13 0x14dac808b in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const+0xdb (WebCore.framework/Versions/A/WebCore:x86_64+0x3a4a08b)
#14 0x14d72dc7e in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)+0x14e (WebCore.framework/Versions/A/WebCore:x86_64+0x36afc7e)
#15 0x14ab2d8c8 in WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)+0x4f8 (WebCore.framework/Versions/A/WebCore:x86_64+0xaaf8c8)
#16 0x14ab2d330 in long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)+0x100 (WebCore.framework/Versions/A/WebCore:x86_64+0xaaf330)
#17 0x14ab165a8 in WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*)+0x8 (WebCore.framework/Versions/A/WebCore:x86_64+0xa985a8)
#18 0x3ae554a011d7  (<unknown module>)
#19 0x16806f8d6 in llint_entry+0x1b5c6 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xe318d6)
#20 0x168054108 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xe16108)
#21 0x169a75084 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x5e4 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2837084)
#22 0x16a375b84 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3137b84)

<rdar://80333314>

Comment 1 Ryosuke Niwa 2021-08-18 20:40:33 PDT

I can reproduce this with ASAN release build of WebKitTestRunner at r281219.

Comment 2 Rob Buis 2021-08-24 08:24:27 PDT

Created attachment 436289 [details]
Patch

Comment 3 Ryosuke Niwa 2021-08-24 12:32:55 PDT

Comment on attachment 436289 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=436289&action=review

> Source/WebCore/editing/TypingCommand.cpp:666
> +                if (auto range = deleteListSelection.value().firstRange()) {

I presume deleteListSelection is "none"?
It's confusing that CompositeEditCommand::shouldBreakOutOfEmptyListItem() returns optional<VisibleSelection>.
We normally use VisibleSelection.isNone() in these cases.
Given shouldBreakOutOfEmptyListItem() is only used in this function, I think we should go ahead & make that change
instead of returning checking for both std::nullopt and VisibleSelection being none.

Comment 4 Rob Buis 2021-08-30 07:44:36 PDT

Created attachment 436770 [details]
Patch

Comment 5 Ryosuke Niwa 2021-08-30 10:49:22 PDT

Comment on attachment 436770 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=436770&action=review

> Source/WebCore/editing/TypingCommand.cpp:667
> +            auto deleteListSelection = shouldBreakOutOfEmptyListItem();
> +            if (!deleteListSelection.isNone()) {
> +                if (willAddTypingToOpenCommand(DeleteKey, granularity, { }, deleteListSelection.firstRange())) {

Define the variable inside if like so:
if (auto deleteListSelection = shouldBreakOutOfEmptyListItem(); !deleteListSelection.isNone()) {

Comment 6 Rob Buis 2021-08-31 00:25:36 PDT

Created attachment 436848 [details]
Patch

Comment 7 EWS 2021-08-31 01:39:59 PDT

Committed r281795 (241132@main): <https://commits.webkit.org/241132@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 436848 [details].