[Webkit-unassigned] [Bug 210354] New: Infinite loop in InsertListCommand::doApply()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Apr 10 13:46:35 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=210354

            Bug ID: 210354
           Summary: Infinite loop in InsertListCommand::doApply()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: All
                OS: All
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: HTML Editing
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: shihchieh_lee at apple.com
                CC: wenson_hsieh at apple.com

<rdar://61427778> Infinite loop in InsertListCommand::doApply()

The condition check, !inSameParagraph(), in the while loop is always satisfied.

<script>
    window.onload = () => {
        window.getSelection().setBaseAndExtent(TH,1,SPAN,0);
        document.execCommand("insertUnorderedList", false);
    }
</script>
<body contenteditable="true"><table><select></select><th id=TH>a</th><sapn id=SPAN></span>

1. The code is inserting an UL and going through each paragraph in the selected range.
2. After <select> is putting into a LI element, we try to find the next paragraph by calling startOfNextParagraph(endingSelection().visibleStart()), which indirectly calls nextVisuallyDistinctCandidate.
3. However, because table is now in <body>, function nextVisuallyDistinctCandidate cannot find next candidate and return null position.
4. As a result, the next paragraph becomes empty, and is assinged to variable startOfCurrentParagraph
5. Function inSameParagraph() always returns false with input of empty startOfCurrentParagraph.
6. The empty startOfNextParagraph is assigned to endingSelection.
7. The empty ending selection is again used to find the next paragraph by calling  startOfNextParagraph again as in step #1.
8. startOfNextParagraph returns empty position and assign it to startOfCurrentParagraph and start looping to step #5.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200410/c61e088e/attachment.htm>

More information about the webkit-unassigned mailing list