Nullptr crash in DeleteSelectionCommand::doApply() when merge node is disconnected.
https://bugs.webkit.org/show_bug.cgi?id=211793
<rdar://problem/62993645>
Reviewed by Geoffrey Garen.
Source/WebCore:
Check for disconnected merge destination and endingSelection() after mergeParagraph is
Called and bail out to avoid using corrupted positions for node insertion.
Test: editing/inserting/insert-text-merge-node-removed-crash.html
* editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::moveParagraphs):
* editing/DeleteSelectionCommand.cpp:
(WebCore::DeleteSelectionCommand::mergeParagraphs):
LayoutTests:
Added a regression test for the crash.
* editing/inserting/insert-text-merge-node-removed-crash-expected.txt: Added.
* editing/inserting/insert-text-merge-node-removed-crash.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@261664 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/editing/DeleteSelectionCommand.cpp b/Source/WebCore/editing/DeleteSelectionCommand.cpp
index e20a8d8..b4ae8be 100644
--- a/Source/WebCore/editing/DeleteSelectionCommand.cpp
+++ b/Source/WebCore/editing/DeleteSelectionCommand.cpp
@@ -754,7 +754,10 @@
moveParagraph(startOfParagraphToMove, endOfParagraphToMove, mergeDestination, false, !paragraphToMergeIsEmpty);
m_needPlaceholder = needPlaceholder;
// The endingPosition was likely clobbered by the move, so recompute it (moveParagraph selects the moved paragraph).
- m_endingPosition = endingSelection().start();
+
+ // FIXME (Bug 211793): endingSelection() becomes disconnected in moveParagraph
+ if (endingSelection().start().anchorNode()->isConnected())
+ m_endingPosition = endingSelection().start();
}
void DeleteSelectionCommand::removePreviouslySelectedEmptyTableRows()
