nephele
/
haikuwebkit
1
0
Fork 0
Code Issues Releases Activity
haikuwebkit/LayoutTests/editing/inserting
History
Wenson Hsieh 42b5e59341 [macOS] Web process crashes when detaching Document with uncommitted marked text 
https://bugs.webkit.org/show_bug.cgi?id=228841
rdar://79960890

Reviewed by Ryosuke Niwa.

Source/WebCore:

In the case where the document is in the process of being detached (underneath `willBeRemovedFromFrame()`), if
there is currently uncommitted marked text in the document, we will attempt to cancel the IME composition in the
process of clearing out the selection. On macOS, this calls into `Editor::cancelComposition()` which
subsequently triggers layout under various call stacks (DOM mutations, text event dispatch, and when scrolling
to reveal the selection); this triggers a security release assertion inside `Document::updateLayout()`.

To mitigate this, we avoid calling into this codepath if the Document no longer has a living render tree (i.e.,
the render tree has either been destroyed, is being destroyed, or has not been created yet).

Test: editing/inserting/remove-frame-with-marked-text.html

* editing/mac/EditorMac.mm:
(WebCore::Editor::selectionWillChange):

Source/WebKit:

Deploy a similar fix on iOS, to avoid any attempts to compute editor state due to discarding uncommitted marked
text during Document teardown. This is required in order to avoid the same security assertion when running the
new layout test on iOS.

* WebProcess/WebPage/WebPage.cpp:
(WebKit::WebPage::sendEditorStateUpdate):

Tools:

Make a small adjustment to DumpRenderTree, such that TextInputController targets the selected frame (or the main
frame, if there is no DOM selection). This behavior matches that of WebKitTestRunner, and allows layout tests
that use TextInputController to simulate setting marked text inside subframes.

* DumpRenderTree/mac/TextInputControllerMac.m:
(-[TextInputController selectedOrMainFrame]):
(-[TextInputController textInput]):

LayoutTests:

Add a layout test to exercise the crash.

* editing/inserting/remove-frame-with-marked-text-expected.txt: Added.
* editing/inserting/remove-frame-with-marked-text.html: Added.


Canonical link: https://commits.webkit.org/240347@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280762 268f45cc-cd09-0410-ab3c-d52691b4dbfc
 		2021-08-07 22:47:09 +00:00
..
12882.html
4278698.html
4840662.html
4875189-1.html
4875189-2.html
4959067.html
4960120-1.html
4960120-2.html
5002441.html
5058163-1.html
5058163-2.html
5156401-2.html
5378847-expected.txt
5378847.html
5418891.html
5510537.html
5549929-1-expected.txt
5549929-1.html
5549929-2.html
5549929-3.html
5607069-1-expected.txt
5607069-1.html
5607069-2-expected.txt
5607069-2.html
5607069-3-expected.txt
5607069-3.html
5685601-1-expected.txt
5685601-1.html
5685601-2-expected.txt
5685601-2.html
5685601-3-expected.txt
5685601-3.html
5803706-1-expected.txt
5803706-1.html
5803706-2-expected.txt
5803706-2.html
5994480-2-expected.txt
5994480-2.html
5994480-expected.txt
5994480.html
6104369-2-expected.txt
6104369-2.html
6104369-expected.txt
6104369.html
6609479-1-expected.txt
6609479-1.html
6609479-expected.txt
6609479.html
6703873-2-expected.txt
6703873-2.html
6703873.html
before-after-input-element.html
break-blockquote-after-delete.html
caret-position-expected.txt Remove trailing spaces from expected.txt files (excluding WPT for now since that contains too many) 2020-09-27 02:15:19 +00:00
caret-position.html
caret-surround-expected.txt Relax assertion in Element::dispatchFocusOutEvent() for non-web process case 2021-01-11 22:57:05 +00:00
caret-surround.html Relax assertion in Element::dispatchFocusOutEvent() for non-web process case 2021-01-11 22:57:05 +00:00
crash-make-boundary-point-expected.txt Null pointer access crash in WebCore::makeBoundaryPoint(..) 2021-03-31 23:38:30 +00:00
crash-make-boundary-point.html Null pointer access crash in WebCore::makeBoundaryPoint(..) 2021-03-31 23:38:30 +00:00
delete-insignificant-text-crash-expected.txt
delete-insignificant-text-crash.html
edit-style-and-insert-image-expected.txt Nullptr crash in Crash in WebCore::positionInParentBeforeNode(..) where a NULL check is missing. 2021-03-31 01:35:55 +00:00
edit-style-and-insert-image.html Nullptr crash in Crash in WebCore::positionInParentBeforeNode(..) where a NULL check is missing. 2021-03-31 01:35:55 +00:00
editable-html-element.html
editable-inline-element.html
edited-whitespace-1.html
editing-empty-divs.html
font-size-clears-from-typing-style-expected.txt
font-size-clears-from-typing-style.html
indent-split-text-not-having-previous-sibling-crash-expected.txt Nullptr crash in Node::isTextNode() via ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded 2021-03-10 07:03:36 +00:00
indent-split-text-not-having-previous-sibling-crash.html Nullptr crash in Node::isTextNode() via ApplyBlockElementCommand::endOfNextParagraphSplittingTextNodesIfNeeded 2021-03-10 07:03:36 +00:00
insert-3654864-fix-expected.txt
insert-3654864-fix.html
insert-3659587-fix-expected.txt
insert-3659587-fix.html
insert-3775316-fix-expected.txt
insert-3775316-fix.html
insert-3778059-fix.html
insert-3786362-fix-expected.txt Make dump-as-markup.js dump newlines within text as "\n" 2020-12-04 19:43:08 +00:00
insert-3786362-fix.html
insert-3800346-fix-expected.txt
insert-3800346-fix.html
insert-3851164-fix-expected.png
insert-3851164-fix.html
insert-3907422-fix-expected.txt Make dump-as-markup.js dump newlines within text as "\n" 2020-12-04 19:43:08 +00:00
insert-3907422-fix.html
insert-after-delete-001-expected.txt
insert-after-delete-001.html
insert-as-body-sibling-expected.txt
insert-as-body-sibling.html
insert-at-end-01.html
insert-at-end-02.html
insert-before-link-1-expected.txt
insert-before-link-1.html
insert-bg-font-expected.txt Remove trailing spaces from expected.txt files (excluding WPT for now since that contains too many) 2020-09-27 02:15:19 +00:00
insert-bg-font.html
insert-br-001-expected.txt
insert-br-001.html
insert-br-002-expected.txt
insert-br-002.html
insert-br-003-expected.txt
insert-br-003.html
insert-br-004-expected.txt
insert-br-004.html
insert-br-005-expected.txt
insert-br-005.html
insert-br-006-expected.txt
insert-br-006.html
insert-br-007-expected.txt
insert-br-007.html
insert-br-008-expected.txt
insert-br-008.html
insert-br-009.html
insert-br-at-tabspan-001.html
insert-br-at-tabspan-002.html
insert-br-at-tabspan-003.html
insert-br-quoted-001.html
insert-br-quoted-002.html
insert-br-quoted-003.html
insert-br-quoted-004.html
insert-br-quoted-005.html
insert-br-quoted-006.html
insert-br-quoted-007-expected.txt Changes to shared testing JS files should not cause test failures due to console message line numbers changing 2020-04-10 21:10:11 +00:00
insert-br-quoted-007.html
insert-character-in-first-letter-crash-expected.txt
insert-character-in-first-letter-crash.html
insert-composition-whitespace-expected.txt
insert-composition-whitespace.html
insert-display-contents-crash-expected.txt Nullptr dereference in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline 2021-04-08 05:21:10 +00:00
insert-display-contents-crash.html Nullptr dereference in ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline 2021-04-08 05:21:10 +00:00
insert-div-001-expected.txt
insert-div-001.html
insert-div-002-expected.txt
insert-div-002.html
insert-div-003-expected.txt
insert-div-003.html
insert-div-004-expected.txt
insert-div-004.html
insert-div-005-expected.txt
insert-div-005.html
insert-div-006-expected.txt
insert-div-006.html
insert-div-007-expected.txt
insert-div-007.html
insert-div-008-expected.txt
insert-div-008.html
insert-div-009.html
insert-div-010.html
insert-div-011.html
insert-div-012.html
insert-div-013.html
insert-div-014.html
insert-div-015.html
insert-div-016.html
insert-div-017.html
insert-div-018.html
insert-div-019.html
insert-div-020.html
insert-div-021-expected.txt Make dump-as-markup.js dump newlines within text as "\n" 2020-12-04 19:43:08 +00:00
insert-div-021.html
insert-div-022.html
insert-div-023.html
insert-div-024.html
insert-div-025.html
insert-div-026.html
insert-div-027.html
insert-empty-html-expected.txt
insert-empty-html.html
insert-horizontal-rule-in-empty-document-crash-expected.txt
insert-horizontal-rule-in-empty-document-crash.html
insert-horizontal-rule-with-style-crash-expected.txt Crash in ReplaceSelectionCommand::mergeEndIfNeeded() 2021-04-15 22:34:33 +00:00
insert-horizontal-rule-with-style-crash.html Crash in ReplaceSelectionCommand::mergeEndIfNeeded() 2021-04-15 22:34:33 +00:00
insert-html-crash-01-expected.txt
insert-html-crash-01.html
insert-html-crash-expected.txt
insert-html-crash.html
insert-images-in-pre-x-crash-expected.txt
insert-images-in-pre-x-crash.html
insert-img-anchor-uneditable-parent-expected.txt Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting image in anchor element that has uneditable parent 2020-04-07 06:29:24 +00:00
insert-img-anchor-uneditable-parent.html Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting image in anchor element that has uneditable parent 2020-04-07 06:29:24 +00:00
insert-img-uneditable-canonical-position-crash-expected.txt Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable 2020-05-14 00:45:45 +00:00
insert-img-uneditable-canonical-position-crash.html Nullptr crash in InsertParagraphSeparatorCommand::doApply when the canonical position is uneditable 2020-05-14 00:45:45 +00:00
insert-in-br-expected.txt ASSERTION FAILED: candidate.isCandidate() in WebCore::canonicalizeCandidate 2020-04-16 18:42:36 +00:00
insert-in-br.html ASSERTION FAILED: candidate.isCandidate() in WebCore::canonicalizeCandidate 2020-04-16 18:42:36 +00:00
insert-list-during-node-removal-crash-expected.txt
insert-list-during-node-removal-crash.html Selection API: Update more tests that depend on WebKit's legacy non-standard behavior to set up the selection 2020-09-23 15:50:44 +00:00
insert-list-end-of-table-expected.txt Infinite loop in InsertListCommand::doApply() 2020-04-12 03:13:17 +00:00
insert-list-end-of-table.html Infinite loop in InsertListCommand::doApply() 2020-04-15 22:01:51 +00:00
insert-list-in-iframe-in-list-expected.txt Crash from CompositeEditCommand::moveParagraphs() being passed null end 2021-01-15 07:14:48 +00:00
insert-list-in-iframe-in-list.html Null dereference in CompositeEditCommand::splitTreeToNode() due to not checking for top of DOM tree 2020-11-09 23:47:51 +00:00
insert-list-in-table-assert-expected.txt ASSERTION FAILED: selection.isRange() in InsertListCommand::doApply 2020-04-10 20:44:52 +00:00
insert-list-in-table-assert.html Selection API: Update more tests that depend on WebKit's legacy non-standard behavior to set up the selection 2020-09-23 15:50:44 +00:00
insert-list-in-table-cell-01-expected.txt
insert-list-in-table-cell-01.html
insert-list-in-table-cell-02-expected.txt
insert-list-in-table-cell-02.html
insert-list-in-table-cell-03-expected.txt
insert-list-in-table-cell-03.html
insert-list-in-table-cell-04-expected.txt
insert-list-in-table-cell-04.html Selection API: Update more tests that depend on WebKit's legacy non-standard behavior to set up the selection 2020-09-23 15:50:44 +00:00
insert-list-in-table-cell-05-expected.txt
insert-list-in-table-cell-05.html
insert-list-in-table-cell-06-expected.txt
insert-list-in-table-cell-06.html
insert-list-in-table-cell-07-expected.txt Elements in a table are incorrectly selected in JavaScript. 2021-01-20 02:00:03 +00:00
insert-list-in-table-cell-07.html
insert-list-in-table-cell-08-expected.txt
insert-list-in-table-cell-08.html Selection API: Update more tests that depend on WebKit's legacy non-standard behavior to set up the selection 2020-09-23 15:50:44 +00:00
insert-list-then-edit-command-crash-expected.txt Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode 2020-04-28 16:36:38 +00:00
insert-list-then-edit-command-crash.html Nullptr crash in EditCommand::EditCommand via CompositeEditCommand::removeNode 2020-05-01 20:50:18 +00:00
insert-list-user-select-none-crash-expected.txt Nullptr crash in InsertListCommand::doApply with user-select:none elements 2020-05-06 22:55:30 +00:00
insert-list-user-select-none-crash.html Nullptr crash in InsertListCommand::doApply with user-select:none elements 2020-05-06 22:55:30 +00:00
insert-list-with-body-child-crash-expected.txt Release assertion failure in Optional<WebCore::SimpleRange>::operator* via CompositeEditCommand::moveParagraphs 2020-11-18 08:28:02 +00:00
insert-list-with-body-child-crash.html Release assertion failure in Optional<WebCore::SimpleRange>::operator* via CompositeEditCommand::moveParagraphs 2020-11-18 08:28:02 +00:00
insert-ol-uneditable-parent-expected.txt
insert-ol-uneditable-parent.html
insert-paragraph-01.html
insert-paragraph-02.html
insert-paragraph-03.html
insert-paragraph-04.html
insert-paragraph-05.html
insert-paragraph-after-non-editable-node-before-text-expected.txt
insert-paragraph-after-non-editable-node-before-text.html
insert-paragraph-after-tab-span-and-text-expected.txt Make dump-as-markup.js dump newlines within text as "\n" 2020-12-04 19:43:08 +00:00
insert-paragraph-after-tab-span-and-text.html
insert-paragraph-at-end-of-line-expected.txt
insert-paragraph-at-end-of-line.html
insert-paragraph-before-space-expected.txt Make dump-as-markup.js dump newlines within text as "\n" 2020-12-04 19:43:08 +00:00
insert-paragraph-before-space.html
insert-paragraph-between-hr-and-br-assigned-to-slot-crash-expected.txt Nullptr crash in WebCore::RenderObject::RenderObjectBitfields::isLineBreak() where a NULL check is missing. 2021-03-23 06:23:57 +00:00
insert-paragraph-between-hr-and-br-assigned-to-slot-crash.html Nullptr crash in WebCore::RenderObject::RenderObjectBitfields::isLineBreak() where a NULL check is missing. 2021-03-23 06:23:57 +00:00
insert-paragraph-between-text-expected.txt Make dump-as-markup.js dump newlines within text as "\n" 2020-12-04 19:43:08 +00:00
insert-paragraph-between-text.html
insert-paragraph-in-designmode-document-expected.txt Make dump-as-markup.js dump newlines within text as "\n" 2020-12-04 19:43:08 +00:00
insert-paragraph-in-designmode-document.html
insert-paragraph-inside-form-expected.txt
insert-paragraph-inside-form.html
insert-paragraph-selection-outside-contenteditable-expected.txt
insert-paragraph-selection-outside-contenteditable.html
insert-paragraph-separator-at-break-expected.txt Make dump-as-markup.js dump newlines within text as "\n" 2020-12-04 19:43:08 +00:00
insert-paragraph-separator-at-break.html
insert-paragraph-separator-crash-expected.txt
insert-paragraph-separator-crash.html
insert-paragraph-separator-in-blockquote-expected.txt
insert-paragraph-separator-in-blockquote.html
insert-paragraph-separator-tab-span-expected.txt
insert-paragraph-separator-tab-span.html
insert-paragraph-separator-with-html-elements-crash-expected.txt Crash in InsertParagraphSeparatorCommand::doApply 2021-07-26 20:47:30 +00:00
insert-paragraph-separator-with-html-elements-crash.html Crash in InsertParagraphSeparatorCommand::doApply 2021-07-26 20:47:30 +00:00
insert-paragraph-with-font-and-background-color-expected.txt Make dump-as-markup.js dump newlines within text as "\n" 2020-12-04 19:43:08 +00:00
insert-paragraph-with-font-and-background-color.html
insert-paste-bidi-control-expected.txt
insert-paste-bidi-control.html
insert-space-in-empty-doc-expected.txt
insert-space-in-empty-doc.html
insert-tab-001-expected.txt
insert-tab-001.html
insert-tab-002-expected.txt
insert-tab-002.html
insert-tab-003.html
insert-tab-004-expected.txt
insert-tab-004.html
insert-table-in-paragraph-crash-expected.txt
insert-table-in-paragraph-crash.html
insert-text-at-tabspan-001.html
insert-text-at-tabspan-002.html
insert-text-at-tabspan-003.html
insert-text-force-repaint-on-load-crash-expected.txt Do not try to remove and already removed node while deleting selection 2021-05-07 21:54:02 +00:00
insert-text-force-repaint-on-load-crash.html Do not try to remove and already removed node while deleting selection 2021-05-07 21:54:02 +00:00
insert-text-into-empty-frameset-crash-expected.txt
insert-text-into-empty-frameset-crash.html
insert-text-into-font-expected.txt
insert-text-into-font.html
insert-text-into-text-field-expected.txt
insert-text-into-text-field.html
insert-text-merge-node-removed-crash-expected.txt Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected. 2020-05-14 00:21:50 +00:00
insert-text-merge-node-removed-crash.html Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected. 2020-05-14 00:21:50 +00:00
insert-text-with-newlines.html
insert-thai-characters-001-expected.txt
insert-thai-characters-001.html
insert-ul-select-all-expected.txt Null dereference in CompositeEditCommand::cloneParagraphUnderNewElement(): needs to check lastNode parent 2021-01-21 23:43:22 +00:00
insert-ul-select-all.html Null dereference in CompositeEditCommand::cloneParagraphUnderNewElement(): needs to check lastNode parent 2021-01-21 23:43:22 +00:00
insert-with-mutation-event-expected.txt
insert-with-mutation-event.html
insert-without-enclosing-block-expected.txt
insert-without-enclosing-block.html
inserting-slash-inside-url-with-smart-link-expected.txt
inserting-slash-inside-url-with-smart-link.html
inserting-trailing-space-and-letter-expected.html
inserting-trailing-space-and-letter.html
inset-html-textarea-without-renderer-expected.txt
inset-html-textarea-without-renderer.html
line-break.html
multiple-lines-selected.html
nested-list-insertion-crash-expected.txt Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands. 2020-05-16 04:09:51 +00:00
nested-list-insertion-crash.html Nullptr crash in WebCore::Node::treeScope() when processing nested list insertion commands. 2020-05-16 04:09:51 +00:00
page-zoom-font-size-expected.txt
page-zoom-font-size.html Selection API: Update more tests that depend on WebKit's legacy non-standard behavior to set up the selection 2020-09-23 15:50:44 +00:00
paragraph-outdent-animationframe-crash-expected.txt Crash from CompositeEditCommand::moveParagraphs() using Position instead of VisiblePosition 2021-01-28 10:58:23 +00:00
paragraph-outdent-animationframe-crash.html Crash from CompositeEditCommand::moveParagraphs() using Position instead of VisiblePosition 2021-01-28 10:58:23 +00:00
paragraph-outdent-crash-expected.txt Crash from CompositeEditCommand::moveParagraphs() being passed null end 2021-01-15 07:14:48 +00:00
paragraph-outdent-crash.html Crash from CompositeEditCommand::moveParagraphs() being passed null end 2021-01-15 07:14:48 +00:00
paragraph-outside-nested-divs-expected.txt
paragraph-outside-nested-divs.html
paragraph-separator-01.html
paragraph-separator-02.html
paragraph-separator-03.html
paragraph-separator-in-table-1.html Remove unneeded whitespace between content and <br> 2020-10-31 12:53:05 +00:00
paragraph-separator-in-table-2.html
redo.html
remove-frame-with-marked-text-expected.txt [macOS] Web process crashes when detaching Document with uncommitted marked text 2021-08-07 22:47:09 +00:00
remove-frame-with-marked-text.html [macOS] Web process crashes when detaching Document with uncommitted marked text 2021-08-07 22:47:09 +00:00
replace-at-visible-boundary-expected.txt
replace-at-visible-boundary.html Selection API: Update more tests that depend on WebKit's legacy non-standard behavior to set up the selection 2020-09-23 15:50:44 +00:00
return-key-before-br-in-span-expected.txt
return-key-before-br-in-span.html
return-key-in-hidden-field-expected.txt
return-key-in-hidden-field.html
return-key-middle-of-span-expected.txt
return-key-middle-of-span.html
return-key-span-start-expected.txt
return-key-span-start.html
return-key-with-selection-001.html
return-key-with-selection-002.html
return-key-with-selection-003.html
return-with-object-element-expected.txt Remove trailing spaces from expected.txt files (excluding WPT for now since that contains too many) 2020-09-27 02:15:19 +00:00
return-with-object-element.html
smart-link-when-caret-is-moved-before-URL-expected.txt
smart-link-when-caret-is-moved-before-URL.html
smart-quote-with-all-configurations-expected.txt
smart-quote-with-all-configurations.html
space-after-removeformat-expected.txt
space-after-removeformat.html
typing-001-expected.txt
typing-001.html
typing-002.html
typing-003-expected.txt
typing-003.html
typing-around-br-001-expected.txt
typing-around-br-001.html
typing-around-image-001-expected.txt
typing-around-image-001.html
typing-at-end-of-line.html
typing-space-to-trigger-smart-link-expected.txt
typing-space-to-trigger-smart-link.html
typing-tab-designmode-expected.txt
typing-tab-designmode-forms-expected.txt
typing-tab-designmode-forms.html
typing-tab-designmode.html