New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 596853 link

Starred by 0 users
Status: Verified
Owner: ----
Closed: Jul 2016
Cc:
ashej...@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

previousPositionOf() crashes with mixed-editability

Project Member Reported by ClusterFuzz, Mar 22 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4853971906199552

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: prev.deepEquivalent() != visiblePosition.deepEquivalent()
  blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > b
  blink::previousPositionOf
  

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95iljsXNonWLjNYBJjyGN8xdHr0OR_hG6glqsxNMBUqjScUcP1U5CF6CAA4IyDSdVp9ofUk1b2hAWcLWA-t4LZ8v4oPiB5PM7j2tyoAbmPruxaHIzEkEcutHAdgRXwKNZxVGI2XulAaESRmwciJd-5bJ_AGJA
<body contenteditable="true"">
   >
       <span contenteditable="false">
        <span contenteditable="true">
         <span contenteditable="true"             bar
            </ol>
           </span>
           <ol>
            bar
  <script>
document.execCommand("SelectAll");
document.execCommand("Indent");
</script>


Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ashej...@chromium.org, Mar 22 2016

Cc: ashej...@chromium.org
Components: Blink>Editing
Labels: findit-wrong Te-Logged M-51
Owner: yosin@chromium.org
Status: Assigned (was: Available)
Suspected CLs	Regression information is not available. The result is the blame information.

Author: yosin
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/347fd08e51c511448759adefa665b24ce3884387
Time: Fri Oct 09 05:40:55 2015
The CL last changed line 3238 of file VisibleUnits.cpp, which is stack frame 0.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/561c1b053f22c9b2357f26ec0e791579a4ce34ad
Time: Wed Sep 09 09:45:39 2015
The CL last changed line 3255 of file VisibleUnits.cpp, which is stack frame 1.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8c346b79bd16ff2df640ea892148efa226412e50
Time: Fri Aug 28 08:39:23 2015
The CL last changed line 1203 of file CompositeEditCommand.cpp, which is stack frame 2.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 157 of file IndentOutdentCommand.cpp, which is stack frame 3.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 292 of file IndentOutdentCommand.cpp, which is stack frame 4.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 146 of file ApplyBlockElementCommand.cpp, which is stack frame 5.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 279 of file IndentOutdentCommand.cpp, which is stack frame 6.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Editing

-----------------------------------------------------

Suspecting - https://chromium.googlesource.com/chromium/src//+/347fd08e51c511448759adefa665b24ce3884387 ?
@yosin: Hey, would you mind checking the above issue and see if it has anything to do with your change ?

Feel free to re-assign to concern dev if that is not the case.

I really appreciate your help.

Thank you!

Comment 2 by yosin@chromium.org, Mar 23 2016

Components: -Blink>Editing Blink>TextSelection
Owner: ----
Status: Available (was: Assigned)
Summary: previousPositionOf() crashes with mixed-editability (was: ASSERTION FAILED: prev.deepEquivalent() != visiblePosition.deepEquivalent())
pos.showTreeForThis()
BODY	000004C557D63250 (editable)
	BLOCKQUOTE	000004C557D63710 STYLE="margin: 0 0 0 40px; border: none; padding: 0px;" (editable)
		#text	000004C557D63778 "\n   >\n       "
	SPAN	000004C557D63308
		#text	000004C557D63370 "\n        "
		SPAN	000004C557D633C0 (editable)
			#text	000004C557D63428 "\n         "
*			SPAN	000004C557D63478 (editable)
				#text	000004C557D634E0 "\n           "
			#text	000004C557D63530 "\n           "
			OL	000004C557D63580 (editable)
				#text	000004C557D635F8 "\n            bar\n  "
				SCRIPT	000004C557D63648 (editable)
					#text	000004C557D636C0 "\ndocument.execCommand("SelectAll");\ndocument.execCommand("Indent");\n"

Comment 3 by yosin@chromium.org, Mar 23 2016

Owner: yosin@chromium.org
Status: Assigned (was: Available)

Comment 4 by yosin@chromium.org, Jun 10 2016

Owner: ----
Project Member

Comment 5 by ClusterFuzz, Jul 2 2016 

ClusterFuzz has detected this issue as fixed in range 388139:388165.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4853971906199552

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  prev.deepEquivalent() != visiblePosition.deepEquivalent()
  blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > b
  blink::previousPositionOf
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=347894:347902
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=388139:388165

Minimized Testcase (0.34 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97SPBWetCHrZA6GRB1I9JI-PyjPQGDb3DA6DqQvaD_P08Gp6Mv7dziQy0i-8Z75GJAwfVYTXKODVhnqgm3x8JBFe-AJ4O3ejYplZd5ocuGmyKD4LIlzX_05I8-pkt7IwsYzoUaoqcKtiTjI0c9VRt91NELfNg?testcase_id=4853971906199552
<body contenteditable="true"">
   <span contenteditable="true">
       <span contenteditable="false">
        <span contenteditable="true">
         <span contenteditable="true"             bar
            </ol>
           </span>
           <ol>
            bar
  <script>
document.execCommand("SelectAll");
document.execCommand("Indent");
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 6 by ClusterFuzz, Jul 2 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 7 by tkent@chromium.org, Oct 12 2016

Components: -Blink>TextSelection Blink>Editing>Selection
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment