Fix crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock().
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Apr 2015 08:23:12 +0000 (08:23 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 29 Apr 2015 08:23:12 +0000 (08:23 +0000)
https://bugs.webkit.org/show_bug.cgi?id=140261

Patch by Hyungwook Lee <hyungwook.lee@navercorp.com> on 2015-04-29
Reviewed by Darin Adler.

Source/WebCore:

We need to check whether RenderObject is valid in RenderView::fooSubtreeSelection functions
because invalid object has caused a crash. This patch adds isValidObjectForNewSelection(), and use it.

* rendering/RenderView.cpp:
(WebCore::isValidObjectForNewSelection):
(WebCore::RenderView::clearSubtreeSelection):
(WebCore::RenderView::applySubtreeSelection):

LayoutTests:

* editing/execCommand/crash-140261-expected.txt: Added.
* editing/execCommand/crash-140261.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@183538 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/execCommand/crash-140261-expected.txt [new file with mode: 0644]
LayoutTests/editing/execCommand/crash-140261.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/rendering/RenderView.cpp

index 4ff50e5..5765e9b 100644 (file)
@@ -1,3 +1,13 @@
+2015-04-29  Hyungwook Lee  <hyungwook.lee@navercorp.com>
+
+        Fix crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock().
+        https://bugs.webkit.org/show_bug.cgi?id=140261
+
+        Reviewed by Darin Adler.
+
+        * editing/execCommand/crash-140261-expected.txt: Added.
+        * editing/execCommand/crash-140261.html: Added.
+
 2015-04-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
 
         Synchronous XMLHttpRequest should get access to AppCache resources stored as flat files
diff --git a/LayoutTests/editing/execCommand/crash-140261-expected.txt b/LayoutTests/editing/execCommand/crash-140261-expected.txt
new file mode 100644 (file)
index 0000000..b0d47ca
--- /dev/null
@@ -0,0 +1,4 @@
+  
+Test for crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock()
+
+This test passes if it doesn't crash.
diff --git a/LayoutTests/editing/execCommand/crash-140261.html b/LayoutTests/editing/execCommand/crash-140261.html
new file mode 100644 (file)
index 0000000..5a90e83
--- /dev/null
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html contenteditable>
+<body>
+    <div></div>
+    <abbr>
+        <label>
+            <textarea></textarea>
+        </label>
+        <embed></embed>
+    </abbr>
+</body>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    document.execCommand("selectall", false, null);
+    document.execCommand("insertorderedlist", false, null);
+    document.write("<p>Test for crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock()</p>");
+    document.write("<p>This test passes if it doesn't crash.</p>");
+</script>
+</html>
index 8feda23..7ea0222 100644 (file)
@@ -1,3 +1,18 @@
+2015-04-29  Hyungwook Lee  <hyungwook.lee@navercorp.com>
+
+        Fix crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock().
+        https://bugs.webkit.org/show_bug.cgi?id=140261
+
+        Reviewed by Darin Adler.
+
+        We need to check whether RenderObject is valid in RenderView::fooSubtreeSelection functions
+        because invalid object has caused a crash. This patch adds isValidObjectForNewSelection(), and use it.
+
+        * rendering/RenderView.cpp:
+        (WebCore::isValidObjectForNewSelection):
+        (WebCore::RenderView::clearSubtreeSelection):
+        (WebCore::RenderView::applySubtreeSelection):
+
 2015-04-29  Youenn Fablet  <youenn.fablet@crf.canon.fr>
 
         Synchronous XMLHttpRequest should get access to AppCache resources stored as flat files
index 7a60177..aabd4c7 100644 (file)
@@ -943,6 +943,11 @@ void RenderView::updateSelectionForSubtrees(RenderSubtreesMap& renderSubtreesMap
     }
 }
 
+static inline bool isValidObjectForNewSelection(const SelectionSubtreeRoot& root, const RenderObject& object)
+{
+    return (object.canBeSelectionLeaf() || &object == root.selectionData().selectionStart() || &object == root.selectionData().selectionEnd()) && object.selectionState() != RenderObject::SelectionNone && object.containingBlock();
+}
+
 void RenderView::clearSubtreeSelection(const SelectionSubtreeRoot& root, SelectionRepaintMode blockRepaintMode, OldSelectionData& oldSelectionData) const
 {
     // Record the old selected objects.  These will be used later
@@ -958,8 +963,7 @@ void RenderView::clearSubtreeSelection(const SelectionSubtreeRoot& root, Selecti
     RenderObject* stop = rendererAfterPosition(root.selectionData().selectionEnd(), root.selectionData().selectionEndPos());
     SelectionIterator selectionIterator(os);
     while (os && os != stop) {
-        if ((os->canBeSelectionLeaf() || os == root.selectionData().selectionStart() || os == root.selectionData().selectionEnd())
-            && os->selectionState() != SelectionNone) {
+        if (isValidObjectForNewSelection(root, *os)) {
             // Blocks are responsible for painting line gaps and margin gaps.  They must be examined as well.
             oldSelectionData.selectedObjects.set(os, std::make_unique<RenderSelectionInfo>(*os, true));
             if (blockRepaintMode == RepaintNewXOROld) {
@@ -1013,7 +1017,7 @@ void RenderView::applySubtreeSelection(const SelectionSubtreeRoot& root, Selecti
     o = root.selectionData().selectionStart();
     selectionIterator = SelectionIterator(o);
     while (o && o != stop) {
-        if ((o->canBeSelectionLeaf() || o == root.selectionData().selectionStart() || o == root.selectionData().selectionEnd()) && o->selectionState() != SelectionNone) {
+        if (isValidObjectForNewSelection(root, *o)) {
             std::unique_ptr<RenderSelectionInfo> selectionInfo = std::make_unique<RenderSelectionInfo>(*o, true);
 
 #if ENABLE(SERVICE_CONTROLS)