New issue
Advanced search Search tips

Issue 592811 link

Starred by 0 users
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
pucchakayala@google.com
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

InsertOrderedList crashes with mixed visibility

Project Member Reported by ClusterFuzz, Mar 8 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6243400816263168

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: isStartOfParagraph(startOfParagraphToMove)
  blink::CompositeEditCommand::moveParagraph
  blink::InsertListCommand::moveParagraphOverPositionIntoEmptyListItem
  

Minimized Testcase (1.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97pgx-5MBKX2uA5yN6JhM_g1ivHGjE4mQ7LflhGEK8evEux4xbOIeAnZCD_Wm0wm7lr2CzoFH6xcoETuKIugfeynBzVLk0vDmRq4jv3MVbrp4CexJG-9cjApVpgpZJLl43qtLCtUQATOxf1OZvBISyzGI3WqA

Filer: pucchakayala

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by pucchakayala@chromium.org, Mar 8 2016

Labels: M-49 findit-for-crash Te-Logged
Owner: tkent@chromium.org
Status: Assigned (was: Available)
Suspected CLs	Regression information is not available. The result is the blame information.

Author: justing
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e1ef4102dc60ec0a5b713d8fabc023555621cb60
Time: Fri Jun 09 04:57:51 2006
The CL last changed line 1245 of file CompositeEditCommand.cpp, which is stack frame 0.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2df3e5c169263f58f3da42ef4d2b518a362f2df5
Time: Wed Feb 10 05:12:58 2016
The CL last changed line 498 of file InsertListCommand.cpp, which is stack frame 1.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2df3e5c169263f58f3da42ef4d2b518a362f2df5
Time: Wed Feb 10 05:12:58 2016
The CL last changed line 479 of file InsertListCommand.cpp, which is stack frame 2.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2df3e5c169263f58f3da42ef4d2b518a362f2df5
Time: Wed Feb 10 05:12:58 2016
The CL last changed line 319 of file InsertListCommand.cpp, which is stack frame 3.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2df3e5c169263f58f3da42ef4d2b518a362f2df5
Time: Wed Feb 10 05:12:58 2016
The CL last changed line 222 of file InsertListCommand.cpp, which is stack frame 4.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 208 of file CompositeEditCommand.cpp, which is stack frame 5.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7840a79114afc7071c77cf3b7337570a6fbb156d
Time: Fri Feb 19 04:15:19 2016
The CL last changed line 582 of file EditorCommand.cpp, which is stack frame 6.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Editing

Comment 2 by tkent@chromium.org, Mar 8 2016

Owner: ----
Status: Untriaged (was: Assigned)
Route to Editing triage

Comment 3 by lafo...@chromium.org, Mar 17 2016

Components: Blink>Editing
Labels: -cr-blink-editing
Remove Cr-* labels, replace w/ component

Comment 4 by yosin@chromium.org, Mar 22 2016 

Assertion:
void CompositeEditCommand::moveParagraph(const VisiblePosition& startOfParagraphToMove, const VisiblePosition& endOfParagraphToMove, const VisiblePosition& destination, EditingState* editingState, bool preserveSelection, bool preserveStyle, Node* constrainingAncestor)
{
    ASSERT(isStartOfParagraph(startOfParagraphToMove));
    ASSERT(isEndOfParagraph(endOfParagraphToMove));


Both |startOfParagraphToMove| and |endOfParagraphToMove| are null.

DOM tree at assertion:
m_endingSelection.showTreeForThis()
BODY	0000017478B435C0 (editable)
	INPUT	0000017478B43628 (editable)
		#shadow-root	0000017478B43738
			DIV	0000017478B43810 ID="inner-editor" (editable)
	#text	0000017478B43878 "\n"
SE	FORM	0000017478B438C8 CLASS="CLASS5 CLASS0" (editable)
		OL	0000017478B43A58 (editable)
			LI	0000017478B43AD0 (editable)
				BR	0000017478B43B38 (editable)
		BR	0000017478B439F0 (editable)

Comment 5 by yosin@chromium.org, Mar 22 2016

Labels: -Pri-1 Pri-2
Status: Available (was: Untriaged)
Summary: InsertOrderedList crashes with mixed visibility (was: ASSERTION FAILED: isStartOfParagraph(startOfParagraphToMove))
Lower to Pri-2, since real world usage of InsertOrderedList is low.

Minimum script to reproduce: "border-top" property needs to repro. Why?

<!doctype html>
<style>
*{visibility:hidden;}
</style>
<input>
<div style="border-top:medium inset;visibility:visible;"></div>
<script>
document.execCommand('SelectAll')
document.designMode = 'on';
document.execCommand('InsertOrderedList');
</script>
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by yosin@chromium.org, May 22 2017

Labels: Pri-3
Bulk set to Pri-3 for cluster fuzz bugs.
Since these issues are happens with unusual HTML.
Project Member

Comment 8 by ClusterFuzz, Jun 21 2017

Status: WontFix (was: Available)
ClusterFuzz testcase 6243400816263168 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment