Mercurial > mozreview > gecko / changeset / c9510c15f71cfdce94684d421b312b66052831f9
summary | shortlog | changelog | pushlog | graph | tags | bookmarks | branches | files | changeset | raw | zip | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Bug 1423776 - Return error when splitted node might be orphan. r?masayuki draft
authorMakoto Kato <m_kato@ga2.so-net.ne.jp>
Mon, 04 Jun 2018 16:31:38 +0900
changeset 803452 c9510c15f71cfdce94684d421b312b66052831f9
parent 803410 0ee6b755ab2ee6d2ab79b17cc97bd4e83424cbfc
push id112105
push userbmo:m_kato@ga2.so-net.ne.jp
push dateMon, 04 Jun 2018 07:39:36 +0000
reviewersmasayuki
bugs1423776
milestone62.0a1
Bug 1423776 - Return error when splitted node might be orphan. r?masayuki This crash occurs when start container of range for range updater is nullptr in GetNodesForOperation. Splitted node by SplitNodeDeepWithTransaction can return orphan node, so we should return error when splitted node is orphan node. MozReview-Commit-ID: 3ySdzc9FAzL
editor/libeditor/HTMLEditRules.cpp file | annotate | diff | comparison | revisions
editor/libeditor/crashtests/1423776.html file | annotate | diff | comparison | revisions
editor/libeditor/crashtests/crashtests.list file | annotate | diff | comparison | revisions 
--- a/editor/libeditor/HTMLEditRules.cpp
+++ b/editor/libeditor/HTMLEditRules.cpp
@@ -7819,16 +7819,19 @@ HTMLEditRules::BustUpInlinesAtRangeEndpo
                         SplitAtEdges::eDoNotCreateEmptyContainer);
     if (NS_WARN_IF(!CanHandleEditAction())) {
       return NS_ERROR_EDITOR_DESTROYED;
     }
     if (NS_WARN_IF(splitEndInlineResult.Failed())) {
       return splitEndInlineResult.Rv();
     }
     EditorRawDOMPoint splitPointAtEnd(splitEndInlineResult.SplitPoint());
+    if (NS_WARN_IF(!splitPointAtEnd.IsSet())) {
+      return NS_ERROR_FAILURE;
+    }
     aRangeItem.mEndContainer = splitPointAtEnd.GetContainer();
     aRangeItem.mEndOffset = splitPointAtEnd.Offset();
   }
 
   nsCOMPtr<nsIContent> startInline =
     GetHighestInlineParent(*aRangeItem.mStartContainer);
 
   if (startInline) {
@@ -7843,16 +7846,19 @@ HTMLEditRules::BustUpInlinesAtRangeEndpo
     }
     if (NS_WARN_IF(splitStartInlineResult.Failed())) {
       return splitStartInlineResult.Rv();
     }
     // XXX If we split only here because of collapsed range, we're modifying
     //     only start point of aRangeItem.  Shouldn't we modify end point here
     //     if it's collapsed?
     EditorRawDOMPoint splitPointAtStart(splitStartInlineResult.SplitPoint());
+    if (NS_WARN_IF(!splitPointAtStart.IsSet())) {
+      return NS_ERROR_FAILURE;
+    }
     aRangeItem.mStartContainer = splitPointAtStart.GetContainer();
     aRangeItem.mStartOffset = splitPointAtStart.Offset();
   }
 
   return NS_OK;
 }
 
 nsresult
new file mode 100644
--- /dev/null
+++ b/editor/libeditor/crashtests/1423776.html
@@ -0,0 +1,15 @@
+<script>
+function go() {
+  svgvar00002.addEventListener("DOMNodeInserted", () => {
+    svg.appendChild(svgvar00008);
+    document.execCommand("insertOrderedList", false);
+  });
+  svgvar00002.insertAdjacentHTML("afterBegin", table.outerHTML);
+}
+</script>
+<body onload=go()>
+<table id="table"></table>
+<b contenteditable="true">
+<svg id="svg">
+<feConvolveMatrix id="svgvar00002"/>
+<feConvolveMatrix id="svgvar00008"/>
--- a/editor/libeditor/crashtests/crashtests.list
+++ b/editor/libeditor/crashtests/crashtests.list
@@ -92,13 +92,14 @@ needs-focus load 1402196.html
 load 1402469.html
 load 1402526.html
 load 1402904.html
 load 1405747.html
 load 1408170.html
 load 1414581.html
 load 1415231.html
 load 1423767.html
+needs-focus load 1423776.html
 needs-focus load 1424450.html
 load 1425091.html
 load 1443664.html
 skip-if(Android) needs-focus load 1444630.html
 load 1446451.html
gecko
Deployed from af051c2a8da7 at 2024-04-29T16:08:02Z.