New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 594906 link

Starred by 1 user
Status: Fixed
Owner:
yoichio@chromium.org
Closed: Dec 2016
Cc:
ajha@chromium.org
msrchandra@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

JustifyCenter command crashes with TR element w/o TABLE element

Project Member Reported by ClusterFuzz, Mar 15 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5075212801933312

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x00000008
Crash State:
  blink::CompositeEditCommand::isRemovableBlock
  blink::DeleteSelectionCommand::removeRedundantBlocks
  blink::DeleteSelectionCommand::doApply
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=275694:275720

Minimized Testcase (2.57 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96nbr41yWayczd4Xshzxe9zVNR06KdugrEakZuzBfHqAEx1WzTxLP0W42ZwSk8Y4t-i-USAFf481cKKoE6oPO6h-jJmuxOZQ2wTlIy0kINoq0X_JLigrmMqqqDgHWjXvchiU1xORCqQaKz_xuM08qD_AuSnsw

Filer: ajha

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ajha@chromium.org, Mar 15 2016

Labels: -Pri-1 findit-wrong Te-Logged Pri-2
Owner: yosin@chromium.org
Status: Assigned (was: Available)
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: mjs@apple.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/554c7634cddfec7925865257d362fa718c34ac3a
Time: Thu May 06 22:41:15 2010
The CL last changed line 739 of file Node.h, which is stack frame 0.

Author: commit-queue@webkit.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a617e8a70e2f33152f9b00a7f6e86cd8ba8a29b5
Time: Sat Apr 21 00:18:20 2012
The CL last changed line 254 of file Node.h, which is stack frame 1.

Author: ch.dumez@samsung.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/cb14ba27851dca0113b1f0eefcd26d04a4d0a6a2
Time: Fri Mar 14 21:37:55 2014
The CL last changed line 307 of file CompositeEditCommand.cpp, which is stack frame 3.

Author: enrica@apple.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6ca16d9354965cb55343d9e28b1de1bc44725449
Time: Thu Dec 15 00:32:27 2011
The CL last changed line 816 of file DeleteSelectionCommand.cpp, which is stack frame 4.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 913 of file DeleteSelectionCommand.cpp, which is stack frame 5.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 255 of file CompositeEditCommand.cpp, which is stack frame 6.

Suspected Component: chromium-blink
Suspected Cr- Label: Cr-Blink-DOM
=======================================================================================================

Routing to Editing team for further triage.
Project Member

Comment 2 by ClusterFuzz, Mar 17 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5203487016615936

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::CompositeEditCommand::isRemovableBlock
  blink::DeleteSelectionCommand::removeRedundantBlocks
  blink::DeleteSelectionCommand::doApply
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703

Minimized Testcase (2.57 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96WuFjhRJlPnvLPGo_3XIi57QKEqvJWv3Q_53nwV9YgnBVHHrfn6Eboxk6z_uDW_o1ulz6dkS8ckVOMCN_nvpGWIZOI94PutY_bHOTV4dNzvGr1lHUx4PUtgqlN6PQq0E0P9GSF4eCf80_O1r_NcAzGiLU0Jw

Filer: manoranjanr

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 3 by lafo...@chromium.org, Mar 17 2016

Components: Blink>Editing
Labels: -cr-blink-editing
Remove Cr-* labels, replace w/ component

Comment 4 by yosin@chromium.org, Mar 22 2016

Owner: ----
Status: Available (was: Assigned)
Summary: JustyCenter command crashes with TR element w/o TABLE element (was: Crash in blink::CompositeEditCommand::isRemovableBlock)

Comment 5 by yosin@chromium.org, Mar 22 2016

Summary: JustifyCenter command crashes with TR element w/o TABLE element (was: JustyCenter command crashes with TR element w/o TABLE element)
Project Member

Comment 6 by ClusterFuzz, Jun 28 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6611520859668480

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::CompositeEditCommand::isRemovableBlock
  blink::DeleteSelectionCommand::removeRedundantBlocks
  blink::DeleteSelectionCommand::doApply
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=402309:402316

Minimized Testcase (2.63 Kb): https://cluster-fuzz.appspot.com/download/AMIfv970EbaNR-7k9y3-P4q2xs_1DFMSrgtsnuTcpudBNzAooCaDMHQ7vn6UPcunRmFDwJkjmDY-JK-7xoSJKL1CF96YFb_yRX8_ewEuBYgCGZWLI8HdZmIbJmvnXSkjqtH9x9gh_OwhJsopS-UXZ45ja_wzpTbMaw?testcase_id=6611520859668480

Filer: tkonchada

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 8 by msrchandra@chromium.org, Nov 24 2016

Cc: msrchandra@chromium.org
Labels: -findit-wrong Test-Predator-Wrong
Owner: yoichio@chromium.org
Status: Assigned (was: Available)
Unable to find the possible suspect using Find it and CL.
Assigning to the concern owner from Code Search using the file "compositeeditcommand.cpp".

Suspecting the CL --
https://chromium.googlesource.com/chromium/src/+/ea062aa9a0f814b1ba88bbe3151e057e5aba60e8

@yoichio -- Could you please look into the issuem kindly re-assign if this is not related to your change.
Thank You.
Project Member

Comment 9 by ClusterFuzz, Dec 23 2016 

ClusterFuzz has detected this issue as fixed in range 440451:440490.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5075212801933312

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000008
Crash State:
  blink::CompositeEditCommand::isRemovableBlock
  blink::DeleteSelectionCommand::removeRedundantBlocks
  blink::DeleteSelectionCommand::doApply
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=275694:275720
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=440451:440490

Minimized Testcase (2.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95YPXF0lq7AqKnD6zOZeDa0GMCW3D_mRSFcs1Fxr9KpI1Cq4lPC8fVYjv8k6lQrO1-FfG3DM7MOGLlyPZo047fr5OmPUuyQNmlUXUcXxD06KLzs4tv6FQYfAYpbaPeFfmLVwOFWw_a8JonCKooSSH4KJcDJ5Q?testcase_id=5075212801933312

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 10 by manoranj...@chromium.org, Dec 27 2016

Status: Fixed (was: Assigned)
Marking 'Fixed' as per c#9.

Thank you!

Sign in to add a comment