RESOLVED FIXED 88495
[Shadow] Executing Italic and InsertUnorderedList in Shadow DOM causes a crash 
https://bugs.webkit.org/show_bug.cgi?id=88495
Summary [Shadow] Executing Italic and InsertUnorderedList in Shadow DOM causes a crash
Shinya Kawanaka
Reported 2012-06-06 21:30:33 PDT
HTML <div id="host" contenteditable></div> Shadow DOM <div id="shadow-host" contenteditable>BEFORE (SHADOW)<shadow></shadow>AFTER (SHADOW)</div> Nested Shadow DOM BEFORE (NESTED)<shaodw></shadow>AFTER (NESTED) Select from BEFORE (NESTED) to AFTER (NESTED), then do document.execCommand('Italic'), and do document.execCommand('InsertUnorderedList'). It caused a crash without stacktrace...
Attachments
Patch (6.07 KB, patch)
2012-06-22 14:36 PDT, Shinya Kawanaka 		no flags
DetailsFormatted DiffDiff
Patch (6.17 KB, patch)
2012-06-22 15:05 PDT, Shinya Kawanaka 		no flags
DetailsFormatted DiffDiff
Patch for landing (6.17 KB, patch)
2012-06-25 09:12 PDT, Shinya Kawanaka 		no flags
DetailsFormatted DiffDiff
Patch for landing (6.17 KB, patch)
2012-06-25 09:14 PDT, Shinya Kawanaka 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Shinya Kawanaka
Comment 1 2012-06-06 21:30:44 PDT
We should investigate more...
Shinya Kawanaka
Comment 2 2012-06-06 21:41:42 PDT
Not only InsertUnorderedList, but other editing commands may cause crash...
Shinya Kawanaka
Comment 3 2012-06-22 14:36:16 PDT
Created attachment 149103 [details] Patch
Shinya Kawanaka
Comment 4 2012-06-22 14:43:17 PDT
Actually this is not an editing problem but Shadow DOM implementation problem... The implementation of InsertionPoint::removedFrom seems wrong. This patch fixes it.
Shinya Kawanaka
Comment 5 2012-06-22 15:05:32 PDT
Created attachment 149113 [details] Patch
Ryosuke Niwa
Comment 6 2012-06-22 23:34:21 PDT
Comment on attachment 149113 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=149113&action=review > Source/WebCore/ChangeLog:3 > + [Shadow][Editing] Italic -> InsertUnorderedList crashes in Shadow DOM. Please update the bug title before you land. > LayoutTests/ChangeLog:3 > + [Shadow][Editing] Italic -> InsertUnorderedList crashes in Shadow DOM. Ditto.
Shinya Kawanaka
Comment 7 2012-06-25 09:12:26 PDT
Created attachment 149303 [details] Patch for landing
Shinya Kawanaka
Comment 8 2012-06-25 09:14:09 PDT
Created attachment 149305 [details] Patch for landing
WebKit Review Bot
Comment 9 2012-06-25 09:59:44 PDT
Comment on attachment 149305 [details] Patch for landing Clearing flags on attachment: 149305 Committed r121162: <http://trac.webkit.org/changeset/121162>
WebKit Review Bot
Comment 10 2012-06-25 09:59:52 PDT
All reviewed patches have been landed. Closing bug.
Hajime Morrita
Comment 11 2012-06-25 20:20:35 PDT
Comment on attachment 149113 [details] Patch Could you check other removedFrom() implementation as well? I think I applied similar pattern to some other places.
Shinya Kawanaka
Comment 12 2012-06-26 09:18:20 PDT
(In reply to comment #11) > (From update of attachment 149113 [details]) > Could you check other removedFrom() implementation as well? > I think I applied similar pattern to some other places. I've found that HTMLStyleElement::removedFrom() used the same pattern. I'm now seeing all the patterns.
Note You need to log in before you can comment on or make changes to this bug.