<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[288252] releases/WebKitGTK/webkit-2.34</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/288252">288252</a></dd>
<dt>Author</dt> <dd>aperez@igalia.com</dd>
<dt>Date</dt> <dd>2022-01-19 16:22:17 -0800 (Wed, 19 Jan 2022)</dd>
</dl>

<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/284792">r284792</a> - Source/WebCore:
ASSERT(node) triggered after surroundNodeRangeWithElement for node without editable style
https://bugs.webkit.org/show_bug.cgi?id=232133

Patch by Gabriel Nava Marino <gnavamarino@apple.com> on 2021-10-25
Reviewed by Wenson Hsieh.

If the last styled node was not parent node of a current text node, but we
wish to style the text node, we will add a style span to surround the text node.
However, this requires the parent to have an editable style, or
we will not properly insert the span in the right location, which
later leads to a traversal into an invalid node. This change
makes it so we return early if the parent node does not have an
editable style, but modifying the existing
CompositeEditCommand::insertNodeBefore to return a boolean in the
early return case.

Test: fast/editing/apply-relative-font-style-change-crash-003.html

* editing/ApplyStyleCommand.cpp:
(WebCore::ApplyStyleCommand::surroundNodeRangeWithElement):
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::insertNodeBefore):
* editing/CompositeEditCommand.h:

LayoutTests:
ASSERT(node) triggered after surroundNodeRangeWithElement for node without editable style
https://bugs.webkit.org/show_bug.cgi?id=232133

Patch by Gabriel Nava Marino <gnavamarino@apple.com> on 2021-10-25
Reviewed by Wenson Hsieh.

* fast/editing/apply-relative-font-style-change-crash-003-expected.txt: Added.
* fast/editing/apply-relative-font-style-change-crash-003.html: Added.</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit234LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit234SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit234SourceWebCoreeditingApplyStyleCommandcpp">releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/ApplyStyleCommand.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit234SourceWebCoreeditingCompositeEditCommandcpp">releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/CompositeEditCommand.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit234SourceWebCoreeditingCompositeEditCommandh">releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/CompositeEditCommand.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit234LayoutTestsfasteditingapplyrelativefontstylechangecrash003expectedtxt">releases/WebKitGTK/webkit-2.34/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit234LayoutTestsfasteditingapplyrelativefontstylechangecrash003html">releases/WebKitGTK/webkit-2.34/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003.html</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit234LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog (288251 => 288252)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog     2022-01-20 00:22:09 UTC (rev 288251)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/ChangeLog        2022-01-20 00:22:17 UTC (rev 288252)
</span><span class="lines">@@ -1,3 +1,13 @@
</span><ins>+2021-10-25  Gabriel Nava Marino  <gnavamarino@apple.com>
+
+        ASSERT(node) triggered after surroundNodeRangeWithElement for node without editable style 
+        https://bugs.webkit.org/show_bug.cgi?id=232133
+
+        Reviewed by Wenson Hsieh.
+
+        * fast/editing/apply-relative-font-style-change-crash-003-expected.txt: Added.
+        * fast/editing/apply-relative-font-style-change-crash-003.html: Added.
+
</ins><span class="cx"> 2021-10-23  Rob Buis  <rbuis@igalia.com>
</span><span class="cx"> 
</span><span class="cx">         Null check in traverseNodesForSerialization
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit234LayoutTestsfasteditingapplyrelativefontstylechangecrash003expectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.34/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003-expected.txt (0 => 288252)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.34/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003-expected.txt                          (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003-expected.txt     2022-01-20 00:22:17 UTC (rev 288252)
</span><span class="lines">@@ -0,0 +1 @@
</span><ins>+PASS
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit234LayoutTestsfasteditingapplyrelativefontstylechangecrash003html"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.34/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003.html (0 => 288252)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.34/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003.html                          (rev 0)
+++ releases/WebKitGTK/webkit-2.34/LayoutTests/fast/editing/apply-relative-font-style-change-crash-003.html     2022-01-20 00:22:17 UTC (rev 288252)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+<head>
+  <style></style>
+  <script>
+    onload = () => {
+      document.styleSheets[0].insertRule(`:last-child { content: url(); }`);
+      document.styleSheets[0].insertRule(`:last-of-type { all: initial; }`);
+      document.documentElement.prepend(document.createElement('input'));
+      document.head.appendChild(document.createElement('div'));
+      document.designMode = 'on';
+      document.execCommand('SelectAll');
+      document.execCommand('FontSizeDelta', false, '1');
+      document.write("PASS");
+      if (window.testRunner)
+          testRunner.dumpAsText();
+    };
+  </script>
+</head>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit234SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog (288251 => 288252)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog  2022-01-20 00:22:09 UTC (rev 288251)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/ChangeLog     2022-01-20 00:22:17 UTC (rev 288252)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2021-10-25  Gabriel Nava Marino  <gnavamarino@apple.com>
+
+        ASSERT(node) triggered after surroundNodeRangeWithElement for node without editable style
+        https://bugs.webkit.org/show_bug.cgi?id=232133
+
+        Reviewed by Wenson Hsieh.
+        
+        If the last styled node was not parent node of a current text node, but we 
+        wish to style the text node, we will add a style span to surround the text node.
+        However, this requires the parent to have an editable style, or
+        we will not properly insert the span in the right location, which
+        later leads to a traversal into an invalid node. This change
+        makes it so we return early if the parent node does not have an
+        editable style, but modifying the existing
+        CompositeEditCommand::insertNodeBefore to return a boolean in the
+        early return case.
+
+        Test: fast/editing/apply-relative-font-style-change-crash-003.html
+
+        * editing/ApplyStyleCommand.cpp:
+        (WebCore::ApplyStyleCommand::surroundNodeRangeWithElement):
+        * editing/CompositeEditCommand.cpp:
+        (WebCore::CompositeEditCommand::insertNodeBefore):
+        * editing/CompositeEditCommand.h:
+
</ins><span class="cx"> 2021-10-23  Rob Buis  <rbuis@igalia.com>
</span><span class="cx"> 
</span><span class="cx">         Null check in traverseNodesForSerialization
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit234SourceWebCoreeditingApplyStyleCommandcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/ApplyStyleCommand.cpp (288251 => 288252)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/ApplyStyleCommand.cpp      2022-01-20 00:22:09 UTC (rev 288251)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/ApplyStyleCommand.cpp 2022-01-20 00:22:17 UTC (rev 288252)
</span><span class="lines">@@ -1319,8 +1319,7 @@
</span><span class="cx">     Ref<Node> protectedStartNode = startNode;
</span><span class="cx">     Ref<Element> element = WTFMove(elementToInsert);
</span><span class="cx"> 
</span><del>-    insertNodeBefore(element.copyRef(), startNode);
-    if (!element->isContentRichlyEditable()) {
</del><ins>+    if (!insertNodeBefore(element.copyRef(), startNode) || !element->isContentRichlyEditable()) {
</ins><span class="cx">         removeNode(element);
</span><span class="cx">         return false;
</span><span class="cx">     }
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit234SourceWebCoreeditingCompositeEditCommandcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/CompositeEditCommand.cpp (288251 => 288252)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/CompositeEditCommand.cpp   2022-01-20 00:22:09 UTC (rev 288251)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/CompositeEditCommand.cpp      2022-01-20 00:22:17 UTC (rev 288252)
</span><span class="lines">@@ -551,12 +551,13 @@
</span><span class="cx">     return false;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-void CompositeEditCommand::insertNodeBefore(Ref<Node>&& insertChild, Node& refChild, ShouldAssumeContentIsAlwaysEditable shouldAssumeContentIsAlwaysEditable)
</del><ins>+bool CompositeEditCommand::insertNodeBefore(Ref<Node>&& insertChild, Node& refChild, ShouldAssumeContentIsAlwaysEditable shouldAssumeContentIsAlwaysEditable)
</ins><span class="cx"> {
</span><span class="cx">     auto parent = makeRefPtr(refChild.parentNode());
</span><span class="cx">     if (!parent || (!parent->hasEditableStyle() && parent->renderer()))
</span><del>-        return;
</del><ins>+        return false;
</ins><span class="cx">     applyCommandToComposite(InsertNodeBeforeCommand::create(WTFMove(insertChild), refChild, shouldAssumeContentIsAlwaysEditable, editingAction()));
</span><ins>+    return true;
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void CompositeEditCommand::insertNodeAfter(Ref<Node>&& insertChild, Node& refChild)
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit234SourceWebCoreeditingCompositeEditCommandh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/CompositeEditCommand.h (288251 => 288252)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/CompositeEditCommand.h     2022-01-20 00:22:09 UTC (rev 288251)
+++ releases/WebKitGTK/webkit-2.34/Source/WebCore/editing/CompositeEditCommand.h        2022-01-20 00:22:17 UTC (rev 288252)
</span><span class="lines">@@ -154,7 +154,7 @@
</span><span class="cx">     void insertNodeAfter(Ref<Node>&&, Node& refChild);
</span><span class="cx">     void insertNodeAt(Ref<Node>&&, const Position&);
</span><span class="cx">     void insertNodeAtTabSpanPosition(Ref<Node>&&, const Position&);
</span><del>-    void insertNodeBefore(Ref<Node>&&, Node& refChild, ShouldAssumeContentIsAlwaysEditable = DoNotAssumeContentIsAlwaysEditable);
</del><ins>+    bool insertNodeBefore(Ref<Node>&&, Node& refChild, ShouldAssumeContentIsAlwaysEditable = DoNotAssumeContentIsAlwaysEditable);
</ins><span class="cx">     void insertParagraphSeparatorAtPosition(const Position&, bool useDefaultParagraphElement = false, bool pasteBlockqutoeIntoUnquotedArea = false);
</span><span class="cx">     void insertParagraphSeparator(bool useDefaultParagraphElement = false, bool pasteBlockqutoeIntoUnquotedArea = false);
</span><span class="cx">     void insertLineBreak();
</span></span></pre>
</div>
</div>

</body>
</html>