Issue metadata
Sign in to add a comment
|
TextIterator should not be created for documents that have no frame |
||||||||||||||||||||||
Issue descriptionIdeally, we should never get to creating a TextIterator on a document that has no frame, since that really doesn't make sense. However, this still happens in some cases. For example, the spellchecking machinery could still call into the frame that was just removed. We should fix this and change the current assert: ASSERT(!start.document()->view() || !start.document()->view()->needsLayout()); to ASSERT(start.document()->view() && !start.document()->view()->needsLayout());
,
Mar 4 2016
Right. I won't change the assertion, not until after the callers are all fixed :)
,
Aug 7 2016
Issue 628504 has been merged into this issue.
,
Aug 27 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Sep 2 2016
,
Sep 9 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6614517910077440 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !start.document()->needsLayoutTreeUpdate() in TextIterator.cpp blink::TextIteratorAlgorithm<>::TextIteratorAlgorithm blink::createPlainText<> Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=389343:389363 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96zlTDGnM67W6btTMb7CCAQyg2aqFOoCZ93guHgCe6YSatd6KWdemwz50MqtWcfcp7rj76bR_Fgx0MPMaSn9owzJWOSuIb1FHIMgHeBOAcsNuFyDc07IJLUICGQ9WZKQYzuwazHLv2OFPsOQ-d3zuIuHoJXQw?testcase_id=6614517910077440 <div contenteditable="true" id="paste"> <script> paste.focus(); </script> <video autoplay=""<source src="../../../media/white.webm" type="video/webm"> <track> <script> document.getElementsByTagName('track')[0].track.mode = 'showing'; </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 12 2016
,
Sep 12 2016
,
Oct 4 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5138441551740928 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !start.document()->needsLayoutTreeUpdate() in TextIterator.cpp blink::TextIteratorAlgorithm<>::TextIteratorAlgorithm blink::createPlainText<> Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=389343:389363 Minimized Testcase (0.26 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv95Zu4jKmmro2I9eMu6yU5_sC3_bKOwaDDE_HWCPXV6UBWWAYMXC8tMzaQRy8E_ykXa2IuNzR7OF9UfVKFC98A9G3zM8l-KgaZGHlQ15OqqzQ0PXg8be7Fxn8PCjYfnhKDWz6tULg_STqwhn5DvhHUgWe4CCfg?testcase_id=5138441551740928 <div contenteditable="" id="test"> <script> window.getSelection().collapse(test); </script> <video autoplay=""<source src="../../media/white.webm" type="video/webm"> <track> <script> document.getElementsByTagName('track')[0].track.mode = 'showing'; </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 27 2017
,
Feb 15 2017
,
Apr 16 2018
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 18 2018
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by yosin@chromium.org
, Mar 4 2016