<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[215002] releases/WebKitGTK/webkit-2.14</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/215002">215002</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2017-04-06 01:28:13 -0700 (Thu, 06 Apr 2017)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/211201">r211201</a> - Crash under DOMSelection::deleteFromDocument()
https://bugs.webkit.org/show_bug.cgi?id=167232
Reviewed by Chris Dumez.
Source/WebCore:
The crash was caused by DOMSelection's deleteFromDocument() mutating contents inside the user-agent
shadow tree of an input element when the text field is readonly. Fixed the bug by exiting early
whenever the selection is inside a shadow tree since getSelection().getRangeAt(0) always returns
a range outside the input element or any shadow tree for that matter.
New behavior matches that of Gecko. The working draft spec of which I'm the editor states that
deleteFromDocument() must invoke Range's deleteContents() on the associated range, which is
the collapsed range returned by getSelection().getRangeAt(0) in the spec:
https://www.w3.org/TR/2016/WD-selection-api-20160921/#widl-Selection-deleteFromDocument-void
And Range's deleteContents() immediately terminates in step 1 when start and end are identical:
https://dom.spec.whatwg.org/commit-snapshots/6b7621282c2e3b222ac585650e484abf4c0a416b/
Note that Range's DOM mutating methods are not available inside an user-agent shadow tree because
WebKit never returns a Range whose end boundary points are inside the tree to author scripts.
Editing commands (ones executable from document.execCommand) that mutate DOM like this check whether
the content is editable or not. Since VisibleSelection's validate() function makes sure the selection
is either entirely within or outside of an root editable element (editing host in the W3C spec lingo),
editing commands should never mutate a random node inside an user-agent shadow tree.
Test: editing/selection/deleteFromDocument-shadow-tree-crash.html
* page/DOMSelection.cpp:
(WebCore::DOMSelection::deleteFromDocument):
LayoutTests:
Based on a patch by Chris Dumez. Add a regression test and rebaseline a Blink test as WebKit's
new behavior matches that of Gecko instead of Blink.
* editing/selection/deleteFromDocument-shadow-tree-crash-expected.txt: Added.
* editing/selection/deleteFromDocument-shadow-tree-crash.html: Added.
* imported/blink/editing/selection/deleteFromDocument-crash-expected.html:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsimportedblinkeditingselectiondeleteFromDocumentcrashexpectedhtml">releases/WebKitGTK/webkit-2.14/LayoutTests/imported/blink/editing/selection/deleteFromDocument-crash-expected.html</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCorepageDOMSelectioncpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMSelection.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestseditingselectiondeleteFromDocumentshadowtreecrashexpectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestseditingselectiondeleteFromDocumentshadowtreecrashhtml">releases/WebKitGTK/webkit-2.14/LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit214LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (215001 => 215002)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 08:24:30 UTC (rev 215001)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2017-04-06 08:28:13 UTC (rev 215002)
</span><span class="lines">@@ -1,3 +1,17 @@
</span><ins>+2017-01-25 Ryosuke Niwa <rniwa@webkit.org>
+
+ Crash under DOMSelection::deleteFromDocument()
+ https://bugs.webkit.org/show_bug.cgi?id=167232
+
+ Reviewed by Chris Dumez.
+
+ Based on a patch by Chris Dumez. Add a regression test and rebaseline a Blink test as WebKit's
+ new behavior matches that of Gecko instead of Blink.
+
+ * editing/selection/deleteFromDocument-shadow-tree-crash-expected.txt: Added.
+ * editing/selection/deleteFromDocument-shadow-tree-crash.html: Added.
+ * imported/blink/editing/selection/deleteFromDocument-crash-expected.html:
+
</ins><span class="cx"> 2017-01-06 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Regression(r189230): DOM Callbacks may use wrong global object
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestseditingselectiondeleteFromDocumentshadowtreecrashexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash-expected.txt (0 => 215002)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash-expected.txt 2017-04-06 08:28:13 UTC (rev 215002)
</span><span class="lines">@@ -0,0 +1,3 @@
</span><ins>+This test passes if it does not crash.
+
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestseditingselectiondeleteFromDocumentshadowtreecrashhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash.html (0 => 215002)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/editing/selection/deleteFromDocument-shadow-tree-crash.html 2017-04-06 08:28:13 UTC (rev 215002)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+ function runTest() {
+ document.getElementById('input_0').disabled = true;
+ document.getElementById('input_0').setRangeText("abc");
+ window.getSelection().extend(document.getElementById('input_0'), 0);
+ window.getSelection().deleteFromDocument();
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+}
+</script>
+</head>
+<body onload="runTest()">
+<p>This test passes if it does not crash.</p>
+<input id=input_0 type="search">
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestsimportedblinkeditingselectiondeleteFromDocumentcrashexpectedhtml"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/imported/blink/editing/selection/deleteFromDocument-crash-expected.html (215001 => 215002)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/imported/blink/editing/selection/deleteFromDocument-crash-expected.html 2017-04-06 08:24:30 UTC (rev 215001)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/imported/blink/editing/selection/deleteFromDocument-crash-expected.html 2017-04-06 08:28:13 UTC (rev 215002)
</span><span class="lines">@@ -1,2 +1,10 @@
</span><del>-<textarea autofocus ></textarea>
</del><ins>+<script>
+onload = function() {
+ document.execCommand('selectAll');
+}
+</script>
+<textarea autofocus >
+text
+text2
+text3</textarea>
</ins><span class="cx"> <iframe srcdoc="foo"></iframe>
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (215001 => 215002)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 08:24:30 UTC (rev 215001)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2017-04-06 08:28:13 UTC (rev 215002)
</span><span class="lines">@@ -1,3 +1,34 @@
</span><ins>+2017-01-25 Ryosuke Niwa <rniwa@webkit.org>
+
+ Crash under DOMSelection::deleteFromDocument()
+ https://bugs.webkit.org/show_bug.cgi?id=167232
+
+ Reviewed by Chris Dumez.
+
+ The crash was caused by DOMSelection's deleteFromDocument() mutating contents inside the user-agent
+ shadow tree of an input element when the text field is readonly. Fixed the bug by exiting early
+ whenever the selection is inside a shadow tree since getSelection().getRangeAt(0) always returns
+ a range outside the input element or any shadow tree for that matter.
+
+ New behavior matches that of Gecko. The working draft spec of which I'm the editor states that
+ deleteFromDocument() must invoke Range's deleteContents() on the associated range, which is
+ the collapsed range returned by getSelection().getRangeAt(0) in the spec:
+ https://www.w3.org/TR/2016/WD-selection-api-20160921/#widl-Selection-deleteFromDocument-void
+ And Range's deleteContents() immediately terminates in step 1 when start and end are identical:
+ https://dom.spec.whatwg.org/commit-snapshots/6b7621282c2e3b222ac585650e484abf4c0a416b/
+
+ Note that Range's DOM mutating methods are not available inside an user-agent shadow tree because
+ WebKit never returns a Range whose end boundary points are inside the tree to author scripts.
+ Editing commands (ones executable from document.execCommand) that mutate DOM like this check whether
+ the content is editable or not. Since VisibleSelection's validate() function makes sure the selection
+ is either entirely within or outside of an root editable element (editing host in the W3C spec lingo),
+ editing commands should never mutate a random node inside an user-agent shadow tree.
+
+ Test: editing/selection/deleteFromDocument-shadow-tree-crash.html
+
+ * page/DOMSelection.cpp:
+ (WebCore::DOMSelection::deleteFromDocument):
+
</ins><span class="cx"> 2017-01-17 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Crash when closing tab with debugger paused
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCorepageDOMSelectioncpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMSelection.cpp (215001 => 215002)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMSelection.cpp 2017-04-06 08:24:30 UTC (rev 215001)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/page/DOMSelection.cpp 2017-04-06 08:28:13 UTC (rev 215002)
</span><span class="lines">@@ -417,7 +417,7 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> RefPtr<Range> selectedRange = selection.selection().toNormalizedRange();
</span><del>- if (!selectedRange)
</del><ins>+ if (!selectedRange || selectedRange->shadowRoot())
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> Ref<Frame> protector(*m_frame);
</span></span></pre>
</div>
</div>
</body>
</html>