New issue
Advanced search Search tips

Issue 596856 link

Starred by 0 users
Status: WontFix
Owner: ----
Closed: Jan 2017
Cc:
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

InsertOrderedList crashes with display:inline-block

Project Member Reported by ClusterFuzz, Mar 22 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4749281474379776

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: endOfSelection.isNotNull()
  blink::InsertListCommand::doApply
  blink::CompositeEditCommand::apply
  

Minimized Testcase (0.37 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97jNKjEXkIzw1TuyOAoCHBdCJVjeUnKa9d9gZuRBptOV9fLlZPLHMqwBP6I5grxZQsOol08u9PGZUjvZPGFwCi3l56IPHCUSLc2c2OL3uAwF229aP2jR7burPyZ36MhUkTd6Ju2MpuKsIIckgQzDr57pyNh_g
  <p>
   This line should be green.
  </p>
  <script>
function __f_0() {
    document.execCommand("SelectAll");
    document.execCommand("InsertOrderedList");
}
  </script>
  <body contenteditable="true"</html><style>
div {
            display: inline-block;
            border: 2px solid black;
</style>
 <div>
  </div>
; 
    <script>
 runTest = __f_0; 
 runTest(); 
</script>


Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ashej...@chromium.org, Mar 22 2016

Components: Blink>Editing
Labels: -Pri-1 findit-wrong Te-Logged M-51 Pri-2
Owner: tkent@chromium.org
Status: Assigned (was: Available)
Suspected CLs	Regression information is not available. The result is the blame information.

Author: justin.garcia@apple.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/3fb97582debde2e1e54bda88daae6c78390828c8
Time: Thu Jun 30 00:10:53 2011
The CL last changed line 193 of file InsertListCommand.cpp, which is stack frame 0.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 208 of file CompositeEditCommand.cpp, which is stack frame 1.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7840a79114afc7071c77cf3b7337570a6fbb156d
Time: Fri Feb 19 04:15:19 2016
The CL last changed line 582 of file EditorCommand.cpp, which is stack frame 2.

Author: tkent@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b32858db78d1145879e6fd12c0e8b67ddd9b750c
Time: Wed Aug 28 02:51:14 2013
The CL last changed line 1785 of file EditorCommand.cpp, which is stack frame 3.

Author: yoichio@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/08c061c11f0bee57c798f845f8a3cf813750f9be
Time: Mon Apr 21 08:10:58 2014
The CL last changed line 4545 of file Document.cpp, which is stack frame 4.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Editing

------------------------------------------

Suspecting - https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292 ?

@tkent: Hey, would you mind checking the above issue and see if it's related to your change.

Feel free to re-assign to concern dev if that is not the case.

I really appreciate your help.

Thank you!

Comment 2 by tkent@chromium.org, Mar 22 2016

Owner: ----
Status: Untriaged (was: Assigned)

Comment 3 by yosin@chromium.org, Mar 23 2016

Labels: -OS-Linux OS-All
Status: Available (was: Untriaged)
Summary: InsertOrderedList crashes with display:inline-block (was: ASSERTION FAILED: endOfSelection.isNotNull())
Lower to Pri-2, since real world usage of InsertOrderedList is low.

It seems we can get rid of this assertion, since next line handles this case.
  ASSERT(endOfSelection.isNotNull());
  if (endOfSelection.isNull() || !rootEditableElementOf(endOfSelection))
      return;


DOM tree at assertion:
m_endingSelection.showTreeForThis()
BODY	000002F7D1B23250 (editable) (focused)
	P	000002F7D1B23E90 (editable)
		OL	000002F7D1B23E18 (editable)
			LI	000002F7D1B23850 (editable)
SE				#text	000002F7D1B23A48 "This line should be green."
	DIV	000002F7D1B23C90 (editable)
	P	000002F7D1B232B8 (editable)
		OL	000002F7D1B237D8 (editable)
			LI	000002F7D1B23B00 (editable)
				#text	000002F7D1B23D60 "\n;"
	#text	000002F7D1B23370 "\n  "
	SCRIPT	000002F7D1B233C0 (editable)
		#text	000002F7D1B23438 "\nfunction __f_0() {\n    document.execCommand("SelectAll");\n    document.execCommand("InsertOrderedList");\n}\n  "
	#text	000002F7D1B23488 "\n  "
	STYLE	000002F7D1B234D8 (editable)
		#text	000002F7D1B23568 "\ndiv {\n            display: inline-block;\n            border: 2px solid black;\n"
	#text	000002F7D1B235B8 "\n "
	SCRIPT	000002F7D1B23710 (editable)
		#text	000002F7D1B23788 "\n runTest = __f_0; \n runTest(); \n"
Project Member

Comment 4 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 5 by ClusterFuzz, Jan 2 2017

Status: WontFix (was: Available)
ClusterFuzz testcase 4749281474379776 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment