haikuwebkit/LayoutTests/fast/editing/mutation-with-display-conte...

<style>
  div {
    display: contents;
  }
  b, span {
    border-style: ridge;
    float: right;
  }
  b {
    font-weight: inherit;
  }
</style>
<div>This test passes if it does not crash.</div>
<script>
  if (window.testRunner)
      testRunner.dumpAsText();
  onload = () => {
    document.documentElement.appendChild(document.createElement('b'));
    document.documentElement.appendChild(document.createElement('span'));
    document.execCommand('SelectAll');
    document.execCommand('Copy');
    document.designMode = 'on';
    document.execCommand('Paste');
  };
</script>
Nullptr crash in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline https://bugs.webkit.org/show_bug.cgi?id=221651 Patch by Frederic Wang <fwang@igalia.com> on 2021-02-23 Reviewed by Ryosuke Niwa. Source/WebCore: There are assumptions in the editing code that new containers have an associated renderer, which is not the case if their style is "display: contents". This patch replaces the strict debug ASSERT in CompositeEditCommand::appendBlockPlaceholder with a failure specified by a nullptr return value, similar to other BlockPlaceholder APIs. That way InsertParagraphSeparatorCommand::doApply can exit early when the block placeholder cannot be inserted. This patch also fixes one nullptr dereference in release build happening when executing Editor::replaceSelectionWithFragment. Test: fast/editing/mutation-with-display-contents-container-crash.html * editing/CompositeEditCommand.cpp: (WebCore::CompositeEditCommand::appendBlockPlaceholder): Return null is the container has no associated renderer. * editing/CompositeEditCommand.h: Return a RefPtr, so it is null in case of failure. * editing/InsertParagraphSeparatorCommand.cpp: (WebCore::InsertParagraphSeparatorCommand::doApply): Abort command if the block placeholder cannot be inserted in the container. LayoutTests: * fast/editing/mutation-with-display-contents-container-crash-expected.txt: Added. * fast/editing/mutation-with-display-contents-container-crash.html: Added. * platform/ios/fast/editing/mutation-with-display-contents-container-crash-expected.txt: Added. Canonical link: https://commits.webkit.org/234483@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@273330 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2021-02-23 20:19:23 +00:00			`<style>`
			`div {`
			`display: contents;`
			`}`
			`b, span {`
			`border-style: ridge;`
			`float: right;`
			`}`
			`b {`
			`font-weight: inherit;`
			`}`
			`</style>`
			`<div>This test passes if it does not crash.</div>`
			`<script>`
			`if (window.testRunner)`
			`testRunner.dumpAsText();`
			`onload = () => {`
			`document.documentElement.appendChild(document.createElement('b'));`
			`document.documentElement.appendChild(document.createElement('span'));`
			`document.execCommand('SelectAll');`
			`document.execCommand('Copy');`
			`document.designMode = 'on';`
			`document.execCommand('Paste');`
			`};`
			`</script>`