InsertOrderedList crashes with multiple BODY/HEAD/IFRAME |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5212159170052096 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: ASSERTION FAILED: destination.deepEquivalent().inDocument() blink::CompositeEditCommand::moveParagraphs blink::InsertListCommand::unlistifyParagraph Minimized Testcase (1.76 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96K5oYpMxfDzv-x0HYpTnDYqJHLsHB6DD44VABzzZwuPhQqumusKBLSHOh6YBQtfyycpqPhsYtIYjm7ohdvfMmhzd_j3izCvmkb-Ckcnrbb8NDggX1orWsVOZB6yILOhT70lvnRJ0Dpd5kXDzSaVfKJUscaHw Filer: pucchakayala See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 14 2016
Route to Editing triage
,
Mar 15 2016
Lower to Pri-2, since real world usage of InsertOrderedList is low.
It seems computation of start/end paragraph doesn't work well including BODY and IFRAME.
DOM tree at assertion:
*#document 3E4021D0
HTML 3E402AD8 (editable) (focused)
HEAD 3E402B10 (editable)
STYLE 3E402B48 (editable)
#text 3E402B98 "\n*{-webkit-user-modify:read-write;"
#text 3E402BC8 "\n"
IFRAME 3E402CD0 (editable)
#text 3E402D48 "... text ..."
HEAD 3E404228 (editable)
BODY 3E404260 (editable)
IFRAME 3E404298 (editable)
#text 3E404310 "... text ..."
BODY 3E402C68 (editable)
OL 3E408260 (editable)
LI 3E4082A8 (editable)
BODY 3E408180 (editable)
IFRAME 3E4081B8 (editable)
#text 3E408230 "... text ..."
HEAD 3E406CA0 (editable)
BODY 3E406CD8 (editable)
IFRAME 3E406D10 (editable)
#text 3E406D88 "... text ..."
HEAD 3E4057F8 (editable)
BODY 3E405830 (editable)
IFRAME 3E405868 (editable)
#text 3E4058E0 "... text ..."
<void>
DOM tree before deleteSelection()
*#document 3E4021D0
HTML 3E402AD8 (editable) (focused)
HEAD 3E402B10 (editable)
STYLE 3E402B48 (editable)
#text 3E402B98 "\n*{-webkit-user-modify:read-write;"
#text 3E402BC8 "\n"
IFRAME 3E402CD0 (editable)
#text 3E402D48 "...text..."
HEAD 3E404228 (editable)
BODY 3E404260 (editable)
IFRAME 3E404298 (editable)
#text 3E404310 "... text ..."
BODY 3E402C68 (editable)
OL 3E408260 (editable)
LI 3E4082A8 (editable)
BR 3E4082E0 (editable)
destination BR 3E409678 (editable)
SCRIPT 3E402BF8 (editable)
HEAD 3E408148 (editable)
BODY 3E408180 (editable)
IFRAME 3E4081B8 (editable)
#text 3E408230 "... text ..."
HEAD 3E406CA0 (editable)
BODY 3E406CD8 (editable)
IFRAME 3E406D10 (editable)
#text 3E406D88 "...text ..."
HEAD 3E4057F8 (editable)
BODY 3E405830 (editable)
IFRAME 3E405868 (editable)
#text 3E4058E0 "... text ..."
<void>
,
Jul 2 2016
ClusterFuzz has detected this issue as fixed in range 389884:390111. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5212159170052096 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: destination.deepEquivalent().inDocument() blink::CompositeEditCommand::moveParagraphs blink::InsertListCommand::unlistifyParagraph Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=369991:370003 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=389884:390111 Minimized Testcase (1.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96dDwE8-9LC2YlNYKgMU8Fjw5SpqnaBQukenQwz5SgRraxNx-x0JELg7YXBjLx3f2CuN0MyIMqfnMNdl7AUQGcSCzkOEKWQlj9TG8tWU33GRd9-4uPEzDQqGhZ83vu5WNqpf67h48LCS0F7NFUDF40zVM-7ow?testcase_id=5212159170052096 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 2 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by pucchakayala@chromium.org
, Mar 14 2016Owner: tkent@chromium.org
Status: Assigned (was: Available)