New issue
Advanced search Search tips

Issue 594287 link

Starred by 0 users
Status: Duplicate
Merged: issue 606517
Owner: ----
Closed: Apr 2016
Cc:
pucchakayala@google.com
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

FormatBlock command crashes with CSS property height

Project Member Reported by ClusterFuzz, Mar 11 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6027067004551168

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: pos.anchorNode()->layoutObject()
  blink::CompositeEditCommand::insertBlockPlaceholder
  blink::FormatBlockCommand::formatRange
  

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94JtOdJaeVgOXjLYMBU91npIk2ttjZuXgF_I91m1d9phsNvKbmr_VN5jjTt8M09NQU1bwknIF4clA-CZZO9E8-Oq6VsHjMXIYxfTTiJXNhl7xMjfyRtz6xIptqOz6ZSIoT3w64Gay-ikZuE_NFbuZB5vCP4sA
<script>
onload = function() {
    document.designMode = 'on';
    document.execCommand('SelectAll');
    document.execCommand('FormatBlock', false, '<pre>');
};
  </script>
 ">
  ab
<!-->
  <style>
   div {
        height: 100px;
</style>
  <div>
  </div>
  <div>


Filer: pucchakayala

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by pucchakayala@chromium.org, Mar 11 2016

Labels: M-49 findit-for-crash Te-Logged
Owner: tkent@chromium.org
Status: Assigned (was: Available)
Suspected CLs	Regression information is not available. The result is the blame information.

Author: yoichio@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/c2e631a5d37195d88a8a764a9555ce3781f32f30
Time: Wed Jul 22 08:06:01 2015
The CL last changed line 914 of file CompositeEditCommand.cpp, which is stack frame 0.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8fa61a69304e774ec9e4c1e944a2fc151c02c0ab
Time: Wed Feb 17 01:23:35 2016
The CL last changed line 112 of file FormatBlockCommand.cpp, which is stack frame 1.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 146 of file ApplyBlockElementCommand.cpp, which is stack frame 2.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 65 of file FormatBlockCommand.cpp, which is stack frame 3.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 93 of file ApplyBlockElementCommand.cpp, which is stack frame 4.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 208 of file CompositeEditCommand.cpp, which is stack frame 5.

Author: esprehn@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/645b1159da89c9cd6b7e59b40c4ba80f9e88faa5
Time: Wed Sep 04 19:01:14 2013
The CL last changed line 485 of file EditorCommand.cpp, which is stack frame 6.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Editing

Comment 2 by tkent@chromium.org, Mar 13 2016

Owner: ----
Status: Untriaged (was: Assigned)
Route to Editing triage

Comment 3 by tkent@chromium.org, Mar 13 2016

Components: Blink>Editing
Labels: -Cr-Blink-Editing

Comment 4 by yosin@chromium.org, Mar 14 2016

Labels: -OS-Linux -Pri-1 OS-All Pri-2
Status: Available (was: Untriaged)
Summary: FormatBlock command crashes with CSS property height (was: ASSERTION FAILED: pos.anchorNode()->layoutObject())
Lower to Pri-2, since real world usage of FormatBlock command is low.

Assertion:
CompositeEditCommand::insertBlockPlaceholder(const Position& pos, EditingState* editingState)
  ASSERT(pos.anchorNode()->layoutObject());

pos.inDocument() = false

|pos| comes from |lastParagraphInBlockNode| in |FormatBlockCommand::formatRange()|, which is
removed by |moveParagraphWithClones()|.

DOM Tree:
*#document	3C0421D0 (editable)
	HTML	3C042AD8 (editable)
		HEAD	3C042B10 (editable)
			SCRIPT	3C042B48 (editable)
				#text	3C042B88 "...script..."
			#text	3C042BF0 "\n "
		BODY	3C042BB8 (editable) (focused)
			PRE	3C042E30 (editable)
				#text	3C042ED0 "">\n"
				#text	3C042F00 "  ab\n"
			DIV	3C042D60 (editable)
				#text	3C042D98 "\n  "
			#text	3C042DC8 "\n  "
			DIV	3C042DF8 (editable)

Before moveParagraphWithClones()
lastParagraphInBlockNode.showTreeForThis()
BODY	3C042BB8 (editable) (focused)
	PRE	3C042E30 (editable)
		#text	3C042ED0 "">\n"
*		#text	3C042E68 "  ab\n"
	DIV	3C042D60 (editable)
		#text	3C042D98 "\n  "
	#text	3C042DC8 "\n  "
	DIV	3C042DF8 (editable)
<void>


It seems |rangeForParagraphSplittingTextNodesIfNeeded()| doesn't handle DIV w/ hieght:100px well.

Comment 5 by yosin@chromium.org, Apr 26 2016

Mergedinto: 606517
Status: Duplicate (was: Available)
Due by we replace ASSERT to DCHECK, new stack trace is found in  crbug.com/606517
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment