Null dereference loading Blink layout test editing/execCommand/insert-image-changing...
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Oct 2015 23:05:54 +0000 (23:05 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Oct 2015 23:05:54 +0000 (23:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=150208
<rdar://problem/23137109>

Patch by Jiewen Tan <jiewen_tan@apple.com> on 2015-10-26
Reviewed by Chris Dumez.

Source/WebCore:

This is a merge from Blink r168502:
https://codereview.chromium.org/183893018

Test: editing/execCommand/insert-image-changing-visibility-crash.html

* editing/ReplaceSelectionCommand.cpp:
(WebCore::ReplaceSelectionCommand::doApply):
We should check again the visibility of the inserted position again since
the replacement might change the visibility.

LayoutTests:

* editing/execCommand/insert-image-changing-visibility-crash-expected.txt: Added.
* editing/execCommand/insert-image-changing-visibility-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@191608 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/editing/execCommand/insert-image-changing-visibility-crash-expected.txt [new file with mode: 0644]
LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/editing/ReplaceSelectionCommand.cpp

index 4e60376..ce3d528 100644 (file)
@@ -1,5 +1,16 @@
 2015-10-26  Jiewen Tan  <jiewen_tan@apple.com>
 
+        Null dereference loading Blink layout test editing/execCommand/insert-image-changing-visibility-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=150208
+        <rdar://problem/23137109>
+
+        Reviewed by Chris Dumez.
+
+        * editing/execCommand/insert-image-changing-visibility-crash-expected.txt: Added.
+        * editing/execCommand/insert-image-changing-visibility-crash.html: Added.
+
+2015-10-26  Jiewen Tan  <jiewen_tan@apple.com>
+
         Null dereference loading Blink layout test editing/execCommand/insert-ordered-list-crash.html
         https://bugs.webkit.org/show_bug.cgi?id=150209
         <rdar://problem/23137198>
diff --git a/LayoutTests/editing/execCommand/insert-image-changing-visibility-crash-expected.txt b/LayoutTests/editing/execCommand/insert-image-changing-visibility-crash-expected.txt
new file mode 100644 (file)
index 0000000..4aeda1f
--- /dev/null
@@ -0,0 +1 @@
+Passes if it does not crash.
diff --git a/LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html b/LayoutTests/editing/execCommand/insert-image-changing-visibility-crash.html
new file mode 100644 (file)
index 0000000..48954a2
--- /dev/null
@@ -0,0 +1,34 @@
+<!DOCTYPE html>
+<html>
+<head>
+<style>
+table {
+    visibility: collapse;
+}
+
+*:only-child {
+    visibility: visible;
+}
+</style>
+</head>
+<body contenteditable="true">
+<script>
+window.onload = function () {
+    var table = document.getElementById('table');
+    table.insertAdjacentHTML('afterbegin', '<svg></svg><div><div id=\'div\'>text</div>');
+
+    var div = document.getElementById('div');
+    var selection = window.getSelection();
+    selection.collapse(div.firstChild, 0);
+    document.execCommand('InsertImage', false, 'about:blank');
+
+    document.write("Passes if it does not crash.");
+};
+
+if (window.testRunner)
+    testRunner.dumpAsText();
+</script>
+<table id="table" ></table>
+<div></div>
+</body>
+</html>
index 534525b..2d5374c 100644 (file)
@@ -1,5 +1,23 @@
 2015-10-26  Jiewen Tan  <jiewen_tan@apple.com>
 
+        Null dereference loading Blink layout test editing/execCommand/insert-image-changing-visibility-crash.html
+        https://bugs.webkit.org/show_bug.cgi?id=150208
+        <rdar://problem/23137109>
+
+        Reviewed by Chris Dumez.
+
+        This is a merge from Blink r168502:
+        https://codereview.chromium.org/183893018
+
+        Test: editing/execCommand/insert-image-changing-visibility-crash.html
+
+        * editing/ReplaceSelectionCommand.cpp:
+        (WebCore::ReplaceSelectionCommand::doApply):
+        We should check again the visibility of the inserted position again since
+        the replacement might change the visibility.
+
+2015-10-26  Jiewen Tan  <jiewen_tan@apple.com>
+
         Null dereference loading Blink layout test editing/execCommand/insert-ordered-list-crash.html
         https://bugs.webkit.org/show_bug.cgi?id=150209
         <rdar://problem/23137198>
index 8a57e7f..6f4a8e1 100644 (file)
@@ -1143,7 +1143,7 @@ void ReplaceSelectionCommand::doApply()
 
     // We inserted before the insertionBlock to prevent nesting, and the content before the insertionBlock wasn't in its own block and
     // didn't have a br after it, so the inserted content ended up in the same paragraph.
-    if (insertionBlock && insertionPos.deprecatedNode() == insertionBlock->parentNode() && (unsigned)insertionPos.deprecatedEditingOffset() < insertionBlock->computeNodeIndex() && !isStartOfParagraph(startOfInsertedContent))
+    if (!startOfInsertedContent.isNull() && insertionBlock && insertionPos.deprecatedNode() == insertionBlock->parentNode() && (unsigned)insertionPos.deprecatedEditingOffset() < insertionBlock->computeNodeIndex() && !isStartOfParagraph(startOfInsertedContent))
         insertNodeAt(createBreakElement(document()), startOfInsertedContent.deepEquivalent());
 
     if (endBR && (plainTextFragment || shouldRemoveEndBR(endBR.get(), originalVisPosBeforeEndBR))) {