[webkit-changes] [WebKit/WebKit] 792bfb: [Live Range Selection] Crash in DOMSelection::getR...

Ryosuke Niwa noreply at github.com
Mon Dec 19 19:21:28 PST 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 792bfbd9e5cffe4edd6c24a89eaf86a9e5a2eec1
      https://github.com/WebKit/WebKit/commit/792bfbd9e5cffe4edd6c24a89eaf86a9e5a2eec1
  Author: Ryosuke Niwa <rniwa at webkit.org>
  Date:   2022-12-19 (Mon, 19 Dec 2022)

  Changed paths:
    R LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash-live-range-expected.txt
    R LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash-live-range.html
    M LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash.html
    M LayoutTests/editing/selection/delete-selection-with-disconnected-extent.html
    M LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash.html
    A LayoutTests/fast/forms/shadow-tree-exposure-live-range-expected.txt
    A LayoutTests/fast/forms/shadow-tree-exposure-live-range.html
    M LayoutTests/fast/forms/shadow-tree-exposure.html
    M Source/WebCore/page/DOMSelection.cpp

  Log Message:
  -----------
  [Live Range Selection] Crash in DOMSelection::getRangeAt with fast/forms/shadow-tree-exposure.html
https://bugs.webkit.org/show_bug.cgi?id=249526

Reviewed by Darin Adler.

The crash was caused by DOMSelection::getRangeAt assuming that the live range associated
with the selection is always non-null when FrameSelection::isNone is false. This is not the case
when the selection's end points are not in the document tree.

Fixed the bug by changing the condition in DOMSelection::rangeCount to return 0. Namely we return 0
whenever FrameSelection::associatedLiveRange() returns nullptr.

Updated other layout tests to avoid hitting a JavaScript exception in getSelection().extend(~) by
forcing LiveRangeSelectionEnabled to be disabled.

* LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash-live-range.html:
* LayoutTests/editing/pasteboard/copy-with-shadow-tree-crash.html:
* LayoutTests/editing/selection/delete-selection-with-disconnected-extent.html:
* LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash.html:
* LayoutTests/fast/forms/shadow-tree-exposure-live-range-expected.txt: Added.
* LayoutTests/fast/forms/shadow-tree-exposure-live-range.html: Added.
* LayoutTests/fast/forms/shadow-tree-exposure.html:
* Source/WebCore/page/DOMSelection.cpp:
(WebCore::DOMSelection::rangeCount const):

Canonical link: https://commits.webkit.org/258118@main

More information about the webkit-changes mailing list