InsertParagraphSeparator crashes with TABLE elements. |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6148955708063744 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: ASSERTION FAILED: isStartOfParagraph(startOfParagraphToMove) blink::CompositeEditCommand::moveParagraph blink::DeleteSelectionCommand::mergeParagraphs Minimized Testcase (1.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9702Ortqcc3B0dVeJH9HPG1bvmq2KSQtYKtsKJ37Qz2J8dM_-BNOG070pyLSBHdEGMJyD6GJXeUMq7WEsbkPB31brpLYucBJm-9TBIZO6GcLsPfn3Qd0LN2YHCtoEnxZ_BHlGvXAddOMCywjYQbIDtxH0iTVg Filer: ashejole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 22 2016
,
Mar 23 2016
m_endingSelection.showTreeForThis() BODY 0000047165803250 (editable) (focused) RUBY 00000471658032B8 (editable) #text 0000047165803320 "\n" RBC 0000047165803370 (editable) #text 00000471658033D8 "\n" RT 0000047165803428 (editable) #text 0000047165803490 "\n" RTC 00000471658034E0 (editable) #text 0000047165803548 "\n\n" HEAD 00000471658031E8 (editable) TABLE 00000471658055B0 (editable) #text 00000471658056E8 "\n" S TABLE 00000471658035E8 (editable) #text 00000471658036D0 "\n" CAPTION 0000047165803668 (editable) #text 0000047165803720 "\n" COLGROUP 0000047165803770 (editable) COL 00000471658037E0 (editable) #text 0000047165803850 "\n" TBODY 00000471658038A0 (editable) #text 0000047165803988 "\n" E TABLE 0000047165803908 (editable) #text 0000047165803A40 "\n" CAPTION 00000471658039D8 (editable) #text 0000047165803A90 "\n" COLGROUP 0000047165803AE0 (editable) COL 0000047165803B50 (editable) #text 0000047165803BC0 "\n" #text 0000047165803C10 "\n" PRE 0000047165803C60 (editable) INS 0000047165803CC8 (editable) #text 0000047165803D30 "\n" FORM 0000047165803D80 (editable) #text 0000047165803E50 "\n" DIV 0000047165803EA0 (editable) #text 0000047165803F08 "\n" BUTTON 0000047165803F58 (editable) #text 0000047165804008 "\n" svg 0000047165804058 (editable) #text 00000471658041A8 "\n" H6 00000471658041F8 (editable) #text 0000047165804260 "\n" SELECT 00000471658042B0 (editable) #shadow-root 0000047165804410 CONTENT 00000471658044E8 #text 00000471658045A0 "\n" OPTION 00000471658045F0 (editable) #shadow-root 0000047165804668 #text 0000047165804740 "\n" #text 0000047165804790 "\n\n" FORM 0000047165804830 (editable) #text 0000047165804900 "\n" DIV 0000047165804950 (editable) #text 00000471658049B8 "\n" RUBY 0000047165804A08 (editable) #text 0000047165804A70 "\n" RBC 0000047165804AC0 (editable) #text 0000047165804B28 "\n" RB 0000047165804B78 (editable) #text 0000047165804BE0 "\n" INPUT 0000047165804C30 (editable) #shadow-root 0000047165804D40 DIV 0000047165804E18 ID="inner-editor" (editable) #text 0000047165804E80 "\n" SELECT 0000047165804ED0 (editable) #shadow-root 0000047165805030 CONTENT 0000047165805108 #text 00000471658051C0 "\n" #text 0000047165805210 "\n" BUTTON 0000047165805260 (editable) #text 0000047165805310 "\n" ACRONYM 0000047165805360 (editable) #text 00000471658053C8 "\n" TABLE 0000047165805418 (editable) #text 0000047165805510 "\n" SCRIPT 0000047165805498 (editable) #text 0000047165805560 ".. script.." #text 0000047165805630 "\n" DL 0000047165805680 (editable)
,
Apr 16 2016
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6069847137452032 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: ASSERTION FAILED: isStartOfParagraph(startOfParagraphToMove) blink::CompositeEditCommand::moveParagraph blink::IndentOutdentCommand::outdentParagraph Minimized Testcase (0.41 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97z_2h8hBhk1zN2Gelvbvp9JQNnarc2rVBn9u_JUpKnrPQN8BD0zf2ju_v3DiCCrRSxZG05QlYLzJuFn7VrhkTMyQqolKBSCpgfO1DlKyDla_s8GfEJFQ7oC9eqpQLyhKhkCE76pwmd0EHYlOBeBbUjmbmevg Reproducible crash opening anekdot.ru. </p> <p> No crash == SUCCESS <style> * { visibility: visible; } *:only-of-type { visibility: collapse; </style> <script> onload = function() { document.designMode = 'on'; var __v_106 = document.querySelector('blockquote'); getSelection().collapse(__v_106, 2); document.execCommand('Outdent'); }; </script> <blockquote> <table> <table> Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 6 2016
ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6069847137452032 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: isStartOfParagraph(startOfParagraphToMove) blink::CompositeEditCommand::moveParagraph blink::IndentOutdentCommand::outdentParagraph Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696 Minimized Testcase (0.41 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv943-B3G6RAFpY_W93Ll304UzxVyxddJMChenxIdRE9ILfW4JKqudUUDt7zvstljw_GBAoUGNVpBCDv39ZvzqZSOhHiOp31_D6Ko9iNcm6oR83qOLdoJOtXiRE0RC89TousYWOlTeY2P4cs8gQI0NZO3WixnVQ?testcase_id=6069847137452032 Reproducible crash opening anekdot.ru. </p> <p> No crash == SUCCESS <style> * { visibility: visible; } *:only-of-type { visibility: collapse; </style> <script> onload = function() { document.designMode = 'on'; var __v_106 = document.querySelector('blockquote'); getSelection().collapse(__v_106, 2); document.execCommand('Outdent'); }; </script> <blockquote> <table> <table> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 7 2016
Still reproducing...
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Feb 10 2017
ClusterFuzz has detected this issue as fixed in range 449250:449259. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6148955708063744 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: ASSERT Crash Address: Crash State: isStartOfParagraph(startOfParagraphToMove) blink::CompositeEditCommand::moveParagraph blink::DeleteSelectionCommand::mergeParagraphs Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=449250:449259 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94s78Xk2ahDaErEO9FCRvbEeOImO06JD_rLJgoyw-WMHghIC03_0fMpQZDQFgeUU7E2XxE_0j_QGyDPWMX9_nT-2p7x5aST5ohmd1ofPQHVuOYFfpv8KzicfB3_ftD7i7cWPT02XAkWeunGOxGoIU2pA7HEUw?testcase_id=6148955708063744 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 10 2017
ClusterFuzz testcase 6148955708063744 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ashej...@chromium.org
, Mar 22 2016Labels: -Pri-1 findit-wrong Te-Logged M-51 Pri-2
Owner: yosin@chromium.org