[Webkit-unassigned] [Bug 224518] Editing null pointer dereference while resolving command

Tue Apr 13 18:26:45 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=224518

--- Comment #3 from Ryosuke Niwa <rniwa at webkit.org> ---
Comment on attachment 425933
  --> https://bugs.webkit.org/attachment.cgi?id=425933
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425933&action=review

> Source/WebCore/editing/DeleteSelectionCommand.cpp:869
> +    RefPtr<Node> node = makeRefPtr(m_endingPosition.containerNode());
> +    RefPtr<Node> rootNode = makeRefPtr(node->rootEditableElement());

Use auto?

> Source/WebCore/editing/DeleteSelectionCommand.cpp:871
> +    while (node && (node != rootNode)) {

We don't usually nest parentheses like this.

> Source/WebCore/editing/DeleteSelectionCommand.cpp:877
> -            node = m_endingPosition.anchorNode();
> +            node = makeRefPtr(m_endingPosition.anchorNode());

No need to call makeRefPtr since node is already of type RefPtr<Node>.

> Source/WebCore/editing/DeleteSelectionCommand.cpp:879
> -            node = node->parentNode();
> +            node = makeRefPtr(node->parentNode());

Ditto.

> LayoutTests/editing/execCommand/remove-node-during-command-crash.html:24
> +    document.write('PASS')

Missing semicolon at the end.
Also, can we say that this test passes if WebKit doesn't crash?

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210414/beb510d4/attachment.htm>