<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[282544] releases/WebKitGTK/webkit-2.32</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/282544">282544</a></dd>
<dt>Author</dt> <dd>aperez@igalia.com</dd>
<dt>Date</dt> <dd>2021-09-16 03:43:41 -0700 (Thu, 16 Sep 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/279284">r279284</a> - Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
https://bugs.webkit.org/show_bug.cgi?id=226821

Reviewed by Ryosuke Niwa.

Source/WebCore:

<a href="http://trac.webkit.org/projects/webkit/changeset/276394">r276394</a> fixed an issue in serialization when transversing the nodes. It added a new condition
to the ASSERT that was checking that its OK not to have a next pointer when there is a valid
pastEnd in the case of pastEnd being a descendant of the pointer traversing the node tree.

However that descendant check was not including the shadow DOM. This is precisely the case
detected by the test case this patch is adding.

Test: editing/selection/setSelection-shadow-dom-crash.html

* editing/markup.cpp:
(WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):

LayoutTests:

* editing/selection/setSelection-shadow-dom-crash-expected.txt: Added.
* editing/selection/setSelection-shadow-dom-crash.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit232LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit232SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit232SourceWebCoreeditingmarkupcpp">releases/WebKitGTK/webkit-2.32/Source/WebCore/editing/markup.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit232LayoutTestseditingselectionsetSelectionshadowdomcrashexpectedtxt">releases/WebKitGTK/webkit-2.32/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit232LayoutTestseditingselectionsetSelectionshadowdomcrashhtml">releases/WebKitGTK/webkit-2.32/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit232LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog (282543 => 282544)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog     2021-09-16 10:43:34 UTC (rev 282543)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/ChangeLog        2021-09-16 10:43:41 UTC (rev 282544)
</span><span class="lines">@@ -1,3 +1,13 @@
</span><ins>+2021-06-17  Sergio Villar Senin  <svillar@igalia.com>
+
+        Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=226821
+
+        Reviewed by Ryosuke Niwa.
+
+        * editing/selection/setSelection-shadow-dom-crash-expected.txt: Added.
+        * editing/selection/setSelection-shadow-dom-crash.html: Added.
+
</ins><span class="cx"> 2021-05-27  Mikhail R. Gadelha  <mikhail.ramalho@gmail.com>
</span><span class="cx"> 
</span><span class="cx">         Increase NumberToStringBuffer to account for negative number
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit232LayoutTestseditingselectionsetSelectionshadowdomcrashexpectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.32/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt (0 => 282544)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.32/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt                          (rev 0)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/editing/selection/setSelection-shadow-dom-crash-expected.txt     2021-09-16 10:43:41 UTC (rev 282544)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+
+This test PASS if it does not crash.
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit232LayoutTestseditingselectionsetSelectionshadowdomcrashhtml"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.32/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html (0 => 282544)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.32/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html                          (rev 0)
+++ releases/WebKitGTK/webkit-2.32/LayoutTests/editing/selection/setSelection-shadow-dom-crash.html     2021-09-16 10:43:41 UTC (rev 282544)
</span><span class="lines">@@ -0,0 +1,25 @@
</span><ins>+<!DOCTYPE html>
+<body></body>
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+
+const image = document.createElement('img');
+document.body.appendChild(image);
+const selection = window.getSelection();
+const image2 = document.createElement('img');
+const div = document.createElement('div');
+document.body.appendChild(div);
+const shadow = div.attachShadow({
+    mode: "open",
+});
+shadow.appendChild(image2);
+if (window.internals) {
+    internals.setSelectionWithoutValidation(shadow, 0, image, 2);
+    document.execCommand("copy");
+
+    const p = document.createElement('p');
+    p.innerHTML = "This test PASS if it does not crash."
+    document.body.appendChild(p);
+}
+</script>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit232SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog (282543 => 282544)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog  2021-09-16 10:43:34 UTC (rev 282543)
+++ releases/WebKitGTK/webkit-2.32/Source/WebCore/ChangeLog     2021-09-16 10:43:41 UTC (rev 282544)
</span><span class="lines">@@ -1,3 +1,22 @@
</span><ins>+2021-06-17  Sergio Villar Senin  <svillar@igalia.com>
+
+        Nullptr crash in StyledMarkupAccumulator::traverseNodesForSerialization
+        https://bugs.webkit.org/show_bug.cgi?id=226821
+
+        Reviewed by Ryosuke Niwa.
+
+        r276394 fixed an issue in serialization when transversing the nodes. It added a new condition
+        to the ASSERT that was checking that its OK not to have a next pointer when there is a valid
+        pastEnd in the case of pastEnd being a descendant of the pointer traversing the node tree.
+
+        However that descendant check was not including the shadow DOM. This is precisely the case
+        detected by the test case this patch is adding.
+
+        Test: editing/selection/setSelection-shadow-dom-crash.html
+
+        * editing/markup.cpp:
+        (WebCore::StyledMarkupAccumulator::traverseNodesForSerialization):
+
</ins><span class="cx"> 2021-06-22  Rob Buis  <rbuis@igalia.com>
</span><span class="cx"> 
</span><span class="cx">         Make rendererIsEverNeeded check less strict
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit232SourceWebCoreeditingmarkupcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.32/Source/WebCore/editing/markup.cpp (282543 => 282544)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.32/Source/WebCore/editing/markup.cpp 2021-09-16 10:43:34 UTC (rev 282543)
+++ releases/WebKitGTK/webkit-2.32/Source/WebCore/editing/markup.cpp    2021-09-16 10:43:41 UTC (rev 282544)
</span><span class="lines">@@ -697,7 +697,7 @@
</span><span class="cx">                 }
</span><span class="cx">             }
</span><span class="cx">         }
</span><del>-        ASSERT(next || !pastEnd);
</del><ins>+        ASSERT(next || !pastEnd || n->containsIncludingShadowDOM(pastEnd));
</ins><span class="cx"> 
</span><span class="cx">         if (isBlock(n) && canHaveChildrenForEditing(*n) && next == pastEnd) {
</span><span class="cx">             // Don't write out empty block containers that aren't fully selected.
</span></span></pre>
</div>
</div>

</body>
</html>