ShadowRoot with leading or trailing white space cause a crash

https://bugs.webkit.org/show_bug.cgi?id=149782 Reviewed by Chris Dumez. Source/WebCore: Fixed the crash by adding a null pointer check since a TextNode that appears as a direct child of a ShadowRoot doesn't have a parent element. Test: fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html * style/RenderTreePosition.cpp: (WebCore::RenderTreePosition::previousSiblingRenderer): LayoutTests: Added a regression test. * fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt: Added. * fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html: Added. Canonical link: https://commits.webkit.org/167933@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@190585 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 5, 2015 · 4e7d9d7e59f1313a5e73f7fcc75d08b3e86919ce · 4e7d9d7
1 parent 66295cc
commit 4e7d9d7e59f1313a5e73f7fcc75d08b3e86919ce
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 2 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2015-10-02  Ryosuke Niwa  <rniwa@webkit.org>
+
+        ShadowRoot with leading or trailing white space cause a crash
+        https://bugs.webkit.org/show_bug.cgi?id=149782
+
+        Reviewed by Chris Dumez.
+
+        Added a regression test.
+
+        * fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt: Added.
+        * fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html: Added.
+
 2015-10-05  Jiewen Tan  <jiewen_tan@apple.com>
 
         Cleaning up after revision 190339

diff --git a/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt b/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash-expected.txt
@@ -0,0 +1,3 @@
+This tests creating a shadow root with leading and trailing white spaces. WebKit should not crash. You should see PASS below.
+
+PASS
diff --git a/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html b/LayoutTests/fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+<body>
+<p>
+This tests creating a shadow root with leading and trailing white spaces.
+WebKit should not crash. You should see PASS below.
+</p>
+<div id="host">PASS</div>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+var host = document.getElementById('host');
+host.attachShadow({mode: 'closed'}).innerHTML = ' <slot></slot> ';
+</script>
+</body>
+</html>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,18 @@
+2015-10-02  Ryosuke Niwa  <rniwa@webkit.org>
+
+        ShadowRoot with leading or trailing white space cause a crash
+        https://bugs.webkit.org/show_bug.cgi?id=149782
+
+        Reviewed by Chris Dumez.
+
+        Fixed the crash by adding a null pointer check since a TextNode that appears as a direct child
+        of a ShadowRoot doesn't have a parent element.
+
+        Test: fast/shadow-dom/shadow-root-with-child-whitespace-text-crash.html
+
+        * style/RenderTreePosition.cpp:
+        (WebCore::RenderTreePosition::previousSiblingRenderer):
+
 2015-10-05  Beth Dakin  <bdakin@apple.com>
 
         Build fix. 

diff --git a/Source/WebCore/style/RenderTreePosition.cpp b/Source/WebCore/style/RenderTreePosition.cpp
@@ -62,8 +62,10 @@ RenderObject* RenderTreePosition::previousSiblingRenderer(const Text& textNode)
         if (renderer && !RenderTreePosition::isRendererReparented(*renderer))
             return renderer;
     }
-    if (PseudoElement* before = textNode.parentElement()->beforePseudoElement())
-        return before->renderer();
+    if (auto* parent = textNode.parentElement()) {
+        if (auto* before = parent->beforePseudoElement())
+            return before->renderer();
+    }
     return nullptr;
 }