[Webkit-unassigned] [Bug 212723] Nullptr crash in DeleteSelectionCommand::doApply() when ending position is disconnected.

Wed Jun 3 16:49:02 PDT 2020

https://bugs.webkit.org/show_bug.cgi?id=212723

--- Comment #1 from Jack <shihchieh_lee at apple.com> ---
This is a similar issue as <rdar://62993645> (https://bugs.webkit.org/show_bug.cgi?id=211793).

After deleting the selected elements, we try to merge the paragraphs and change the ending position to the element that is before the deleted range. However, removeNodeAndPruneAncestors is called which removes ending position from the node tree as well. Later we try to insert a BR at the parent of ending position and the code crashes since ending position is parentless now.

Before removeNodeAndPruneAncestors(), only #text is supposed to be removed, and ending position should be moved to DL.
BODY    0x11743e920 (renderer 0x11743d7f0) 
        DIV     0x11743e9b0 (renderer 0x11743ee10) 
                DL      0x11743ea40 (renderer 0x11743ef40) 
                        #text   0x11743ead0 "\n"
                        DT      0x11743eb30 (renderer 0x11743f070) 
*                               #text   0x11743ebc0 "a"
                #text   0x11743ec20 "\n"
                SCRIPT  0x11743ec80 (renderer 0x0) 
                        #text   0x11743ed50 "\n    onload = function run() {\n        window.getSelection().setPosition(dt);\n        document.execCommand("delete", false);\n    }\n"
                #text   0x11743edb0 "\n"
legacy, offset, offset:0

After removeNodeAndPruneAncestors(), ending position (DL) becomes dangling.
*DL     0x11743ea40 (renderer 0x0) 
        #text   0x11743ead0 "\n"
        DT      0x11743eb30 (renderer 0x0)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200603/1a8f8bc4/attachment.htm>