Crash in blink::WebRange::startOffset |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6317367054827520 Fuzzer: mbarbella_js_mutation_layout Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000013 Crash State: blink::WebRange::startOffset test_runner::TextInputControllerBindings::SelectedRange blink::SelectionEditor::modify Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=380964:381388 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Qnb0uFL6QfJCaCwVO7B-aV6zRnLBbLuLP1t4gd8mJbHTYFqUxFlMB1qOz9ZwZ-ah3POdd3EePLcqNwhVypKnIC0wFn4L5yCV9sd5SpCTQNhZFc5xoOpZ5Qy91Y6GFMOsrUJ9qXShQxqFKOAx8DC6igeljMEYhmvFattLzH4uRTOAaG7A Filer: ajha See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 18 2016
My CL is not causing this crash. The checkin changes only affect <col> or <colgroup> elements, and none are present on the page. Nothing in the large list of CLs looks like an obvious cause, and I do not have a windows machine to reproduce this crash on. The crash is an assert when programatically setting a selection. I assume something is not clearing selection on delete. I am reasssigning this to azurewei. The following CL touches a lot of input code, and it looks like they have a windows machine to reproduce this on. https://codereview.chromium.org/1771173002
,
Mar 19 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6317367054827520 Fuzzer: mbarbella_js_mutation_layout Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000013 Crash State: blink::WebRange::startOffset test_runner::TextInputControllerBindings::SelectedRange blink::SelectionEditor::modify Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=380964:381388 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97Qnb0uFL6QfJCaCwVO7B-aV6zRnLBbLuLP1t4gd8mJbHTYFqUxFlMB1qOz9ZwZ-ah3POdd3EePLcqNwhVypKnIC0wFn4L5yCV9sd5SpCTQNhZFc5xoOpZ5Qy91Y6GFMOsrUJ9qXShQxqFKOAx8DC6igeljMEYhmvFattLzH4uRTOAaG7A See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 22 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6176513627521024 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000013 Crash State: blink::WebRange::startOffset test_runner::TextInputControllerBindings::SelectedRange base::internal::RunnableAdapter<std::vector<int,std::allocator<int> > Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381877:381899 Minimized Testcase (0.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97zV5-ueMVdRozboO61JEHHFcIuFGX6CRdcXcoWITL6iwovOjbfIfDjGqiWyg_tU6_omE6isz89LACHNhMlxO4stAxx3imdqRCACoNUKY5jteGyhV-bGZHM4Gv6_e1vmlZtwvaMFDlFkuzo8fq2EFmzZfIQLQ Filer: ligimole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 8 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5225483511267328 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000013 Crash State: blink::WebRange::startOffset test_runner::TextInputControllerBindings::SelectedRange v8::internal::LoadIC::Load Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=385831:385848 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97YxTZe8z7I53oguSDUjYGGKtL3wHJAIHbHnQat2Q40VqNHQ5HEAr2z04IGtXOoVQMVON7BfnHV-zCsHReC3FCVgixiXBPsWzVR3r4vfk6MSxBD7aJAJWmxdFzgRiRTQF3rJZH_Tw8KLvoj7chuIEhREBdE4Q Additional requirements: Requires Gestures Filer: pbommana See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 9 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5225483511267328 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000013 Crash State: blink::WebRange::startOffset test_runner::TextInputControllerBindings::SelectedRange v8::internal::LoadIC::Load Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=385831:385848 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97YxTZe8z7I53oguSDUjYGGKtL3wHJAIHbHnQat2Q40VqNHQ5HEAr2z04IGtXOoVQMVON7BfnHV-zCsHReC3FCVgixiXBPsWzVR3r4vfk6MSxBD7aJAJWmxdFzgRiRTQF3rJZH_Tw8KLvoj7chuIEhREBdE4Q Additional requirements: Requires Gestures See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 25 2016
Sorry for the delay, confused this bug with another one... Shu, can you help look at this bug? Thanks!
,
May 12 2016
Re #2, azurewei@'s cl https://codereview.chromium.org/1771173002 should not cause the crash. That cl is related to IME extension, I doubt the fuzz tests involve any IME extensions. Any blink gurus can take a look?
,
Jun 13 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6176513627521024 Fuzzer: inferno_layout_test_unmodified Job Type: windows_syzyasan_content_shell Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000013 Crash State: blink::WebRange::startOffset test_runner::TextInputControllerBindings::SelectedRange base::internal::RunnableAdapter<std::vector<int,std::allocator<int> > Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381877:381899 Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96a--XrSLKjLWklVQWusjq8SxMV6s5gT_9sZ9xSHijBZjTk9SFqGUsOsNNXQss7QJOZ00z2g64bsHmIfBhKOAjcFmgiDPGnZdgiYRqbZHSyLUcfOxMrccKfwNEidm2qSgSSoyrLuyFmmEbXh7p63G5JtEl7Wg See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 14 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ajha@chromium.org
, Mar 18 2016Owner: atotic@chromium.org
Status: Assigned (was: Available)