Bug 208039

Summary:

Nullptr crash in CompositeEditCommand::splitTreeToNode when inserting list with read-only user-modify

Product:

WebKit

Reporter:

Jack <shihchieh_lee>

Component:

HTML Editing

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, commit-queue, ews-feeder, product-security, rniwa, simon.fraser, webkit-bug-importer, wenson_hsieh, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	none

Description Jack 2020-02-20 17:01:13 PST

Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000011ae42732 WebCore::Node::getFlag(WebCore::Node::NodeFlags) const + 34
1   com.apple.WebCore             	0x000000011e108ff8 WebCore::CompositeEditCommand::splitTreeToNode(WebCore::Node&, WebCore::Node&, bool) + 552
2   com.apple.WebCore             	0x000000011e1ac626 WebCore::InsertListCommand::unlistifyParagraph(WebCore::VisiblePosition const&, WebCore::HTMLElement*, WebCore::Node*) + 1766
3   com.apple.WebCore             	0x000000011e1aba17 WebCore::InsertListCommand::doApplyForSingleParagraph(bool, WebCore::HTMLQualifiedName const&, WebCore::Range*) + 2839
4   com.apple.WebCore             	0x000000011e1aabd9 WebCore::InsertListCommand::doApply() + 2633
5   com.apple.WebCore             	0x000000011e0dd827 WebCore::CompositeEditCommand::apply() + 439
6   com.apple.WebCore             	0x000000011e19401e WebCore::executeInsertOrderedList(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 206
7   com.apple.WebCore             	0x000000011de44dd2 WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 258
8   com.apple.WebCore             	0x000000011b930278 WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&) + 984
9   com.apple.WebCore             	0x000000011b90bbe9 long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunctionExecCommandBody(JSC::ExecState*, WebCore::JSDocument*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329
10  ???                           	0x00004e731c00116b 0 + 86256297972075
11  com.apple.JavaScriptCore      	0x0000000107cd847c llint_entry + 93465
12  com.apple.JavaScriptCore      	0x0000000107cc15b9 vmEntryToJavaScript + 200
13  com.apple.JavaScriptCore      	0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205
14  com.apple.JavaScriptCore      	0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329
15  com.apple.JavaScriptCore      	0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304
16  com.apple.JavaScriptCore      	0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355
17  com.apple.WebCore             	0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236
18  com.apple.WebCore             	0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994
19  com.apple.WebCore             	0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036
20  com.apple.WebCore             	0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
21  com.apple.WebCore             	0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460
22  com.apple.WebCore             	0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
23  com.apple.WebCore             	0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776
24  com.apple.WebCore             	0x000000011e3eaf3f WebCore::HTMLMediaElement::dispatchEvent(WebCore::Event&) + 399
25  com.apple.WebCore             	0x000000011df45144 WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) + 372
26  com.apple.WebCore             	0x000000011dfd16bf WebCore::Node::dispatchSubtreeModifiedEvent() + 463
27  com.apple.WebCore             	0x000000011ddbc6af WebCore::ContainerNode::removeChild(WebCore::Node&) + 2191
28  com.apple.WebCore             	0x000000011ddba2f0 WebCore::collectChildrenAndRemoveFromOldParent(WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::DumbPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul>&) + 560
29  com.apple.WebCore             	0x000000011ddb9a2f WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 415
30  com.apple.WebCore             	0x000000011ddbe625 WebCore::ContainerNode::appendChild(WebCore::Node&) + 261
31  com.apple.WebCore             	0x000000011dfc4756 WebCore::Node::appendChild(WebCore::Node&) + 214
32  com.apple.WebCore             	0x000000011c0e3e47 WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) + 535
33  com.apple.WebCore             	0x000000011c0daaf9 long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329
34  ???                           	0x00004e731c00116b 0 + 86256297972075
35  com.apple.JavaScriptCore      	0x0000000107cd847c llint_entry + 93465
36  com.apple.JavaScriptCore      	0x0000000107cd830b llint_entry + 93096
37  com.apple.JavaScriptCore      	0x0000000107cc15b9 vmEntryToJavaScript + 200
38  com.apple.JavaScriptCore      	0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205
39  com.apple.JavaScriptCore      	0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329
40  com.apple.JavaScriptCore      	0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304
41  com.apple.JavaScriptCore      	0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355
42  com.apple.WebCore             	0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236
43  com.apple.WebCore             	0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994
44  com.apple.WebCore             	0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036
45  com.apple.WebCore             	0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
46  com.apple.WebCore             	0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460
47  com.apple.WebCore             	0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
48  com.apple.WebCore             	0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776
49  com.apple.WebCore             	0x000000011dfd1cc6 WebCore::Node::dispatchBeforeLoadEvent(WTF::String const&) + 326
50  com.apple.WebCore             	0x000000011e3a1e23 WebCore::HTMLLinkElement::shouldLoadLink() + 291
51  com.apple.WebCore             	0x000000011ea23b24 WebCore::LinkLoader::loadLink(WebCore::LinkRelAttribute const&, WTF::URL const&, WTF::String const&, WTF::String const&, WTF::String const&, WTF::String const&, WTF::String const&, WTF::String const&, WebCore::Document&) + 756
52  com.apple.WebCore             	0x000000011e3a0ab7 WebCore::HTMLLinkElement::process() + 871
53  com.apple.WebCore             	0x000000011ddb9e9e WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 1550
54  com.apple.WebCore             	0x000000011ddbe625 WebCore::ContainerNode::appendChild(WebCore::Node&) + 261
55  com.apple.WebCore             	0x000000011dfc4756 WebCore::Node::appendChild(WebCore::Node&) + 214
56  com.apple.WebCore             	0x000000011c0e3e47 WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) + 535
57  com.apple.WebCore             	0x000000011c0daaf9 long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329
58  ???                           	0x00004e731c00116b 0 + 86256297972075
59  com.apple.JavaScriptCore      	0x0000000107cd847c llint_entry + 93465
60  com.apple.JavaScriptCore      	0x0000000107cc15b9 vmEntryToJavaScript + 200
61  com.apple.JavaScriptCore      	0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205
62  com.apple.JavaScriptCore      	0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329
63  com.apple.JavaScriptCore      	0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304
64  com.apple.JavaScriptCore      	0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355
65  com.apple.WebCore             	0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236
66  com.apple.WebCore             	0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994
67  com.apple.WebCore             	0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036
68  com.apple.WebCore             	0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
69  com.apple.WebCore             	0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460
70  com.apple.WebCore             	0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
71  com.apple.WebCore             	0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776
72  com.apple.WebCore             	0x000000011df45144 WebCore::EventDispatcher::dispatchScopedEvent(WebCore::Node&, WebCore::Event&) + 372
73  com.apple.WebCore             	0x000000011dfd16bf WebCore::Node::dispatchSubtreeModifiedEvent() + 463
74  com.apple.WebCore             	0x000000011ddb9f48 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) + 1720
75  com.apple.WebCore             	0x000000011ddbe625 WebCore::ContainerNode::appendChild(WebCore::Node&) + 261
76  com.apple.WebCore             	0x000000011dfc4756 WebCore::Node::appendChild(WebCore::Node&) + 214
77  com.apple.WebCore             	0x000000011c0e3e47 WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) + 535
78  com.apple.WebCore             	0x000000011c0daaf9 long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) + 329
79  ???                           	0x00004e731c00116b 0 + 86256297972075
80  com.apple.JavaScriptCore      	0x0000000107cd847c llint_entry + 93465
81  com.apple.JavaScriptCore      	0x0000000107cd830b llint_entry + 93096
82  com.apple.JavaScriptCore      	0x0000000107cc15b9 vmEntryToJavaScript + 200
83  com.apple.JavaScriptCore      	0x0000000109236eb5 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1205
84  com.apple.JavaScriptCore      	0x00000001098dbaf9 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 329
85  com.apple.JavaScriptCore      	0x00000001098dbca0 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 304
86  com.apple.JavaScriptCore      	0x00000001098dc133 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 355
87  com.apple.WebCore             	0x000000011d739fcc WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 236
88  com.apple.WebCore             	0x000000011d7929aa WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1994
89  com.apple.WebCore             	0x000000011df5795c WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) + 1036
90  com.apple.WebCore             	0x000000011df52ac8 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 424
91  com.apple.WebCore             	0x000000011df44bac WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 460
92  com.apple.WebCore             	0x000000011df45daa WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 378
93  com.apple.WebCore             	0x000000011df45738 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 776
94  com.apple.WebCore             	0x000000011e3eaf3f WebCore::HTMLMediaElement::dispatchEvent(WebCore::Event&) + 399
95  com.apple.WebCore             	0x000000011df5eb2b WebCore::GenericEventQueue::dispatchOneEvent() + 427
96  com.apple.WebCore             	0x000000011df706b2 std::__1::__bind_return<void (WebCore::GenericEventQueue::*)(), std::__1::tuple<WebCore::GenericEventQueue*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::GenericEventQueue::*)(), std::__1::tuple<WebCore::GenericEventQueue*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (WebCore::GenericEventQueue::*)(), WebCore::GenericEventQueue*>::operator()<>() + 194
97  com.apple.WebCore             	0x000000011ee98282 WebCore::TaskDispatcher<WebCore::Timer>::dispatchOneTask() + 290
98  com.apple.WebCore             	0x000000011ee97fac WebCore::TaskDispatcher<WebCore::Timer>::sharedTimerFired() + 348
99  com.apple.WebCore             	0x000000011eeed357 WebCore::ThreadTimers::sharedTimerFiredInternal() + 919
100 com.apple.WebCore             	0x000000011ef63aef WebCore::timerFired(__CFRunLoopTimer*, void*) + 191
101 com.apple.CoreFoundation      	0x00007fff339378b5 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
102 com.apple.CoreFoundation      	0x00007fff33937461 __CFRunLoopDoTimer + 864
103 com.apple.CoreFoundation      	0x00007fff33936f9a __CFRunLoopDoTimers + 330
104 com.apple.CoreFoundation      	0x00007fff339185e4 __CFRunLoopRun + 2141
105 com.apple.CoreFoundation      	0x00007fff33917b35 CFRunLoopRunSpecific + 459
106 DumpRenderTree                	0x0000000105ad3712 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 2754 (DumpRenderTree.mm:2083)
107 DumpRenderTree                	0x0000000105ad1a33 dumpRenderTree(int, char const**) + 1123 (DumpRenderTree.mm:1322)
108 DumpRenderTree                	0x0000000105ad42d0 DumpRenderTreeMain(int, char const**) + 128 (DumpRenderTree.mm:1438)
109                  	0x00007fff5ff0c3d5 start + 1

Comment 1 Jack 2020-02-20 17:02:57 PST

In this test case, body contains a list item that is not enclosed by unordered list. Therefore, when JS tries to insert a list, ”fixOrphanedListChild(*listChildNode)” is called to create a HTMLUListElement and append list item to it. However, in CSS the ul is set to “-webkit-user-modify: read-only;”, so append is skipped. This results in li being parentless and the ul childless. Eventually in function splitTreeToNode, we dierectly access the parent of li and cuase nullptr crash.

<style>
dir { -webkit-user-modify: read-write; }
ul { -webkit-user-modify: read-only;}
</style>
<script>
    onload = function fun() {
        window.getSelection().setBaseAndExtent(LI,0,LI,0);
        document.execCommand("insertOrderedList", false);
    }
</script>
<body><dir><li id=LI>

Render tree before fixOrphanedListChild(*listChildNode) is called:
(B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout
B---YGL- --  RenderView at (0,0) size 800x600 renderer->(0x617000103080)
B-----L- --    HTML RenderBlock at (0,0) size 800x600 renderer->(0x61200003ed40) node->(0x60c000107800)
B------- --      BODY RenderBody at (8,8) size 784x576 renderer->(0x61200003eec0) node->(0x60c0001087c0)
B------- --*       DIR RenderBlock at (0,0) size 784x18 renderer->(0x61200003f040) node->(0x60c000108880)
B------- --          LI RenderListItem at (40,0) size 744x18 renderer->(0x61200003f1c0) node->(0x60c000108940)
-------- --            RootInlineBox at (0,0) size 14x18 (0x610000051640) renderer->(0x61200003f1c0)
-------- --              InlineBox at (-1,0) size 7x18 (0x607000155960) renderer->(0x61200003f4c0)
I---YG-- --            RenderListMarker at (-1,0) size 7x18 renderer->(0x61200003f4c0)

Render tree after fixOrphanedListChild(*listChildNode) is called:
(B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout
B---YGL- -+  RenderView at (0,0) size 800x600 renderer->(0x617000103080) layout->[normal child]
B-----L- -+    HTML RenderBlock at (0,0) size 800x600 renderer->(0x61200003ed40) node->(0x60c000107800) layout->[normal child]
B------- -+      BODY RenderBody at (8,8) size 784x576 renderer->(0x61200003eec0) node->(0x60c0001087c0) layout->[normal child]
B------- -+        DIR RenderBlock at (0,0) size 784x18 renderer->(0x61200003f040) node->(0x60c000108880) layout->[normal child]
B------- -+*         UL RenderBlock at (0,0) size 0x0 renderer->(0x612000081dc0) node->(0x60c0000fed40) layout->[self]

Comment 2 Jack 2020-02-20 17:30:04 PST

<rdar://52011355>

Comment 3 Jack 2020-02-20 17:48:14 PST

Created attachment 391363 [details]
Patch

Comment 4 Ryosuke Niwa 2020-02-20 18:05:32 PST

Comment on attachment 391363 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=391363&action=review

> Source/WebCore/editing/InsertListCommand.cpp:213
> +            // If UL is not editable, listChildNode cannot be appended to a list, so fixOrphanedListChild() returns nullptr.

I don’t think we need this comment since anyone looking at this code can just look the code of fixOrphanedListChild.

> Source/WebCore/editing/InsertListCommand.cpp:214
> +            HTMLElement* listElement = fixOrphanedListChild(*listChildNode);

Please store this in RefPtr

Comment 5 Jack 2020-02-20 18:10:11 PST

Created attachment 391367 [details]
Patch

Comment 6 Jack 2020-02-20 19:45:42 PST

Created attachment 391375 [details]
Patch

Comment 7 Jack 2020-02-21 00:31:06 PST

Created attachment 391386 [details]
Patch

Comment 8 Ryosuke Niwa 2020-02-24 19:00:15 PST

This is not a security bug.

Comment 9 WebKit Commit Bot 2020-02-25 21:18:11 PST

Comment on attachment 391386 [details]
Patch

Clearing flags on attachment: 391386

Committed r257407: <https://trac.webkit.org/changeset/257407>

Comment 10 WebKit Commit Bot 2020-02-25 21:18:13 PST

All reviewed patches have been landed.  Closing bug.