WebKit Bugzilla
Attachment 372669 Details for
Bug 199126
: Nullptr crash in DeleteSelectionCommand::handleGeneralDelete
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Fixes the crash
bug-199126-20190621193136.patch (text/plain), 2.74 KB, created by
Ryosuke Niwa
on 2019-06-21 19:31:36 PDT
(
hide
)
Description:
Fixes the crash
Filename:
MIME Type:
Creator:
Ryosuke Niwa
Created:
2019-06-21 19:31:36 PDT
Size:
2.74 KB
patch
obsolete
>Index: Source/WebCore/ChangeLog >=================================================================== >--- Source/WebCore/ChangeLog (revision 246705) >+++ Source/WebCore/ChangeLog (working copy) >@@ -1,3 +1,18 @@ >+2019-06-21 Ryosuke Niwa <rniwa@webkit.org> >+ >+ Nullptr crash in DeleteSelectionCommand::handleGeneralDelete >+ https://bugs.webkit.org/show_bug.cgi?id=199126 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Added null checks to handleGeneralDelete as well as mergeParagraphs which runs after handleGeneralDelete to be defensive. >+ >+ Unfortunately no new tests since there is no reproducible test case. >+ >+ * editing/DeleteSelectionCommand.cpp: >+ (WebCore::DeleteSelectionCommand::handleGeneralDelete): >+ (WebCore::DeleteSelectionCommand::mergeParagraphs): >+ > 2019-06-21 Youenn Fablet <youenn@apple.com> > > ResourceLoadNotifier should check whether its frame document loader is null >Index: Source/WebCore/editing/DeleteSelectionCommand.cpp >=================================================================== >--- Source/WebCore/editing/DeleteSelectionCommand.cpp (revision 246705) >+++ Source/WebCore/editing/DeleteSelectionCommand.cpp (working copy) >@@ -610,7 +610,9 @@ void DeleteSelectionCommand::handleGener > } > } > >- if (m_downstreamEnd.deprecatedNode() != startNode && !m_upstreamStart.deprecatedNode()->isDescendantOf(m_downstreamEnd.deprecatedNode()) && m_downstreamEnd.anchorNode()->isConnected() && m_downstreamEnd.deprecatedEditingOffset() >= caretMinOffset(*m_downstreamEnd.deprecatedNode())) { >+ if (!m_downstreamEnd.isNull() && !m_downstreamEnd.isOrphan() && m_downstreamEnd.deprecatedNode() != startNode >+ && !m_upstreamStart.deprecatedNode()->isDescendantOf(m_downstreamEnd.deprecatedNode()) >+ && m_downstreamEnd.deprecatedEditingOffset() >= caretMinOffset(*m_downstreamEnd.deprecatedNode())) { > if (m_downstreamEnd.atLastEditingPositionForNode() && !canHaveChildrenForEditing(*m_downstreamEnd.deprecatedNode())) { > // The node itself is fully selected, not just its contents. Delete it. > removeNode(*m_downstreamEnd.deprecatedNode()); >@@ -679,7 +681,7 @@ void DeleteSelectionCommand::mergeParagr > ASSERT(!m_pruneStartBlockIfNecessary); > > // FIXME: Deletion should adjust selection endpoints as it removes nodes so that we never get into this state (4099839). >- if (!m_downstreamEnd.anchorNode()->isConnected() || !m_upstreamStart.anchorNode()->isConnected()) >+ if (m_downstreamEnd.isNull() || m_upstreamStart.isNull() || !m_downstreamEnd.anchorNode()->isConnected() || !m_upstreamStart.anchorNode()->isConnected()) > return; > > // FIXME: The deletion algorithm shouldn't let this happen.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=372669">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
wenson_hsieh
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 199126
: 372669