Merge r183538 - Fix crash in WebCore::LogicalSelectionOffsetCaches::C…

…ontainingBlockInfo::setBlock(). https://bugs.webkit.org/show_bug.cgi?id=140261 Patch by Hyungwook Lee <hyungwook.lee@navercorp.com> on 2015-04-29 Reviewed by Darin Adler. Source/WebCore: We need to check whether RenderObject is valid in RenderView::fooSubtreeSelection functions because invalid object has caused a crash. This patch adds isValidObjectForNewSelection(), and use it. * rendering/RenderView.cpp: (WebCore::isValidObjectForNewSelection): (WebCore::RenderView::clearSubtreeSelection): (WebCore::RenderView::applySubtreeSelection): LayoutTests: * editing/execCommand/crash-140261-expected.txt: Added. * editing/execCommand/crash-140261.html: Added.
WebKit · May 12, 2015 · 43cd0f2 · 43cd0f2
1 parent 96fc6f6
commit 43cd0f2
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 3 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2015-04-29  Hyungwook Lee  <hyungwook.lee@navercorp.com>
+
+        Fix crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock().
+        https://bugs.webkit.org/show_bug.cgi?id=140261
+
+        Reviewed by Darin Adler.
+
+        * editing/execCommand/crash-140261-expected.txt: Added.
+        * editing/execCommand/crash-140261.html: Added.
+
 2015-04-27  Daniel Bates  <dabates@apple.com>
 
         Form control may be associated with the wrong HTML Form element after form id change

diff --git a/LayoutTests/editing/execCommand/crash-140261-expected.txt b/LayoutTests/editing/execCommand/crash-140261-expected.txt
@@ -0,0 +1,4 @@
+
+Test for crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock()
+
+This test passes if it doesn't crash.
diff --git a/LayoutTests/editing/execCommand/crash-140261.html b/LayoutTests/editing/execCommand/crash-140261.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html contenteditable>
+<body>
+    <div></div>
+    <abbr>
+        <label>
+            <textarea></textarea>
+        </label>
+        <embed></embed>
+    </abbr>
+</body>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    document.execCommand("selectall", false, null);
+    document.execCommand("insertorderedlist", false, null);
+    document.write("<p>Test for crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock()</p>");
+    document.write("<p>This test passes if it doesn't crash.</p>");
+</script>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2015-04-29  Hyungwook Lee  <hyungwook.lee@navercorp.com>
+
+        Fix crash in WebCore::LogicalSelectionOffsetCaches::ContainingBlockInfo::setBlock().
+        https://bugs.webkit.org/show_bug.cgi?id=140261
+
+        Reviewed by Darin Adler.
+
+        We need to check whether RenderObject is valid in RenderView::fooSubtreeSelection functions
+        because invalid object has caused a crash. This patch adds isValidObjectForNewSelection(), and use it.
+
+        * rendering/RenderView.cpp:
+        (WebCore::isValidObjectForNewSelection):
+        (WebCore::RenderView::clearSubtreeSelection):
+        (WebCore::RenderView::applySubtreeSelection):
+
 2015-04-27  Daniel Bates  <dabates@apple.com>
 
         Form control may be associated with the wrong HTML Form element after form id change

diff --git a/Source/WebCore/rendering/RenderView.cpp b/Source/WebCore/rendering/RenderView.cpp
@@ -943,6 +943,11 @@ void RenderView::updateSelectionForSubtrees(RenderSubtreesMap& renderSubtreesMap
     }
 }
 
+static inline bool isValidObjectForNewSelection(const SelectionSubtreeRoot& root, const RenderObject& object)
+{
+    return (object.canBeSelectionLeaf() || &object == root.selectionData().selectionStart() || &object == root.selectionData().selectionEnd()) && object.selectionState() != RenderObject::SelectionNone && object.containingBlock();
+}
+
 void RenderView::clearSubtreeSelection(const SelectionSubtreeRoot& root, SelectionRepaintMode blockRepaintMode, OldSelectionData& oldSelectionData) const
 {
     // Record the old selected objects.  These will be used later
@@ -958,8 +963,7 @@ void RenderView::clearSubtreeSelection(const SelectionSubtreeRoot& root, Selecti
     RenderObject* stop = rendererAfterPosition(root.selectionData().selectionEnd(), root.selectionData().selectionEndPos());
     SelectionIterator selectionIterator(os);
     while (os && os != stop) {
-        if ((os->canBeSelectionLeaf() || os == root.selectionData().selectionStart() || os == root.selectionData().selectionEnd())
-            && os->selectionState() != SelectionNone) {
+        if (isValidObjectForNewSelection(root, *os)) {
             // Blocks are responsible for painting line gaps and margin gaps.  They must be examined as well.
             oldSelectionData.selectedObjects.set(os, std::make_unique<RenderSelectionInfo>(*os, true));
             if (blockRepaintMode == RepaintNewXOROld) {
@@ -1013,7 +1017,7 @@ void RenderView::applySubtreeSelection(const SelectionSubtreeRoot& root, Selecti
     o = root.selectionData().selectionStart();
     selectionIterator = SelectionIterator(o);
     while (o && o != stop) {
-        if ((o->canBeSelectionLeaf() || o == root.selectionData().selectionStart() || o == root.selectionData().selectionEnd()) && o->selectionState() != SelectionNone) {
+        if (isValidObjectForNewSelection(root, *o)) {
             std::unique_ptr<RenderSelectionInfo> selectionInfo = std::make_unique<RenderSelectionInfo>(*o, true);
 
 #if ENABLE(SERVICE_CONTROLS)