Null dereference loading Blink layout test editing/execCommand/format-block-uneditabl...

https://bugs.webkit.org/show_bug.cgi?id=150207
<rdar://problem/23137066>

Patch by Jiewen Tan <jiewen_tan@apple.com> on 2015-10-27
Reviewed by Enrica Casucci.

Source/WebCore:

This is a merge of Blink r200238:
https://codereview.chromium.org/1280263002

Test: editing/execCommand/format-block-uneditable-crash.html

* editing/ApplyBlockElementCommand.cpp:
(WebCore::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded):
splitTextNode() will return early if the given text node is not editable. Hence, check
its editablity before calling the method.

LayoutTests:

* editing/execCommand/format-block-uneditable-crash-expected.txt: Added.
* editing/execCommand/format-block-uneditable-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191647 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 38d3ce7..48fcc41 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2015-10-27  Jiewen Tan  <jiewen_tan@apple.com>
+
+        Null dereference loading Blink layout test editing/execCommand/format-block-uneditable-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=150207
+        <rdar://problem/23137066>
+
+        Reviewed by Enrica Casucci.
+
+        * editing/execCommand/format-block-uneditable-crash-expected.txt: Added.
+        * editing/execCommand/format-block-uneditable-crash.html: Added.
+
 2015-10-27  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         Unreviewed, fix a failing iOS WK2 test.

diff --git a/LayoutTests/editing/execCommand/format-block-uneditable-crash-expected.txt b/LayoutTests/editing/execCommand/format-block-uneditable-crash-expected.txt
new file mode 100644 (file)
index 0000000..ec9a3e8
--- /dev/null
+++ b/LayoutTests/editing/execCommand/format-block-uneditable-crash-expected.txt
@@ -0,0 +1,9 @@
+EDITING DELEGATE: shouldBeginEditingInDOMRange:range from 0 of PRE > BODY > HTML > #document to 3 of PRE > BODY > HTML > #document
+EDITING DELEGATE: webViewDidBeginEditing:WebViewDidBeginEditingNotification
+EDITING DELEGATE: webViewDidChangeSelection:WebViewDidChangeSelectionNotification
+EDITING DELEGATE: webViewDidChangeSelection:WebViewDidChangeSelectionNotification
+EDITING DELEGATE: shouldChangeSelectedDOMRange:range from 1 of PRE > BODY > HTML > #document to 2 of PRE > BODY > HTML > #document toDOMRange:range from 0 of #text > H1 > PRE > BODY > HTML > #document to 3 of #text > H1 > PRE > BODY > HTML > #document affinity:NSSelectionAffinityDownstream stillSelecting:FALSE
+EDITING DELEGATE: webViewDidChangeSelection:WebViewDidChangeSelectionNotification
+EDITING DELEGATE: webViewDidChange:WebViewDidChangeNotification
+EDITING DELEGATE: webViewDidEndEditing:WebViewDidEndEditingNotification
+PASS. WebKit didn't crash.

diff --git a/LayoutTests/editing/execCommand/format-block-uneditable-crash.html b/LayoutTests/editing/execCommand/format-block-uneditable-crash.html
new file mode 100644 (file)
index 0000000..7d516f5
--- /dev/null
+++ b/LayoutTests/editing/execCommand/format-block-uneditable-crash.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src="../editing.js"></script>
+
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+    
+function editingTest() {
+    var container = document.getElementById('sample');
+    var range = document.createRange()
+    range.setEndAfter(container.lastChild);
+    window.getSelection().addRange(range);
+    document.execCommand('formatblock', false, '<h1>');
+    document.write("PASS. WebKit didn't crash.");
+};
+</script>
+</head>
+<body onload=runEditingTest()>
+<pre id="sample" contenteditable="true">
+foo
+<div contenteditable="false">bar
+</div>
+
+</pre>
+</body>
+</html>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 0b63785..73e84a9 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,21 @@
+2015-10-27  Jiewen Tan  <jiewen_tan@apple.com>
+
+        Null dereference loading Blink layout test editing/execCommand/format-block-uneditable-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=150207
+        <rdar://problem/23137066>
+
+        Reviewed by Enrica Casucci.
+
+        This is a merge of Blink r200238:
+        https://codereview.chromium.org/1280263002
+
+        Test: editing/execCommand/format-block-uneditable-crash.html
+
+        * editing/ApplyBlockElementCommand.cpp:
+        (WebCore::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded):
+        splitTextNode() will return early if the given text node is not editable. Hence, check
+        its editablity before calling the method.
+
 2015-10-27  Brady Eidson  <beidson@apple.com>
 
         Modern IDB: IDBTransaction.objectStore() support.

diff --git a/Source/WebCore/editing/ApplyBlockElementCommand.cpp b/Source/WebCore/editing/ApplyBlockElementCommand.cpp
index 21abe71..d2900b1 100644 (file)
--- a/Source/WebCore/editing/ApplyBlockElementCommand.cpp
+++ b/Source/WebCore/editing/ApplyBlockElementCommand.cpp
@@ -233,8 +233,8 @@ void ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded(const
                 m_endOfLastParagraph = end;
         }
 
-        // If end is in the middle of a text node, split.
-        if (!endStyle->collapseWhiteSpace() && end.offsetInContainerNode() && end.offsetInContainerNode() < end.containerNode()->maxCharacterOffset()) {
+        // If end is in the middle of a text node and the text node is editable, split.
+        if (endStyle->userModify() != READ_ONLY && !endStyle->collapseWhiteSpace() && end.offsetInContainerNode() && end.offsetInContainerNode() < end.containerNode()->maxCharacterOffset()) {
             RefPtr<Text> endContainer = end.containerText();
             splitTextNode(endContainer, end.offsetInContainerNode());
             if (isStartAndEndOnSameNode)