Issue 597624 link

Starred by 0 users

Issue metadata

Status:	Fixed
Owner:	yosin@chromium.org
Closed:	Apr 2016
Cc:	█ ashej...@chromium.org editing-dev@chromium.org
Components:	Blink>Editing
EstimatedDays:	----
NextAction:	----
OS:	Linux , All , Mac
Pri:	2
Type:	Bug
Te-Logged Stability-Crash Reproducible Stability-Memory-AddressSanitizer findit-wrong Clusterfuzz

InsertNewlineInQuotedContent crashes with orphan ending selection

Project Member Reported by ClusterFuzz, Mar 24 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5941312133529600

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000048
Crash State:
  blink::CompositeEditCommand::insertNodeAfter
  blink::BreakBlockquoteCommand::doApply
  blink::CompositeEditCommand::applyCommandToComposite
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=136263:136271

Minimized Testcase (0.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97DMOtstYC1wD4DHkz_NZjM2kiPSQ46oOSvGvrxMCS_1JRVzfx9dM8IY8Js6TJUFkyH8NY9nn_SYihoKFC9qsC_YL0Own7FfFSkqHsfq-e3VLMddSSiRH2zohdFRnsRx1gXhTjCAcYRdO7YixkX8Ty9G8K_ag

Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by ashej...@chromium.org, Mar 24 2016

Cc: ashej...@chromium.org
Components: Blink>Editing
Labels: findit-wrong M-50 Te-Logged
Owner: yosin@chromium.org
Status: Assigned (was: Available)

No CL in the regression range changes the crashed files. The result is the blame information.

Author: wibling@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a4c3a7dd738ac5789cbdbf82b6c63627154ec46a
Time: Thu Apr 03 13:08:44 2014
The CL last changed line 772 of file Handle.h, which is stack frame 0.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fa2dca0b50eb5da1b0f7a85bc5c5473886c37155
Time: Tue Aug 18 04:23:01 2015
The CL last changed line 336 of file CompositeEditCommand.cpp, which is stack frame 1.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/45632fb469f9738299adf8f0877812138bd6d682
Time: Tue Feb 16 07:06:59 2016
The CL last changed line 181 of file BreakBlockquoteCommand.cpp, which is stack frame 2.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 255 of file CompositeEditCommand.cpp, which is stack frame 3.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2e7914fe42c279c13e64f9bf07336d9c769ae3bf
Time: Wed Feb 17 10:04:46 2016
The CL last changed line 437 of file TypingCommand.cpp, which is stack frame 4.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7840a79114afc7071c77cf3b7337570a6fbb156d
Time: Fri Feb 19 04:15:19 2016
The CL last changed line 221 of file TypingCommand.cpp, which is stack frame 5.

Author: tkent@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b32858db78d1145879e6fd12c0e8b67ddd9b750c
Time: Wed Aug 28 02:51:14 2013
The CL last changed line 1785 of file EditorCommand.cpp, which is stack frame 6.

Suspected Component: chromium-blink
Suspected Cr- Label: Cr-Blink-Editing

-------------------------------------

Assigning it to yosin to help us assigning to correct owner.

I really appreciate your help.

Thank you!

Comment 2 by tkent@chromium.org, Mar 25 2016

Labels: -M-50 OS-Mac

At the beginning of BreakBlockquoteCommand::doApply, endingSelection() is in an orphan tree.

Comment 3 by yosin@chromium.org, Mar 25 2016

Labels: -Pri-1 OS-All Pri-2
Status: Available (was: Assigned)
Summary: InsertNewlineInQuotedContent crashes (was: Crash in blink::CompositeEditCommand::insertNodeAfter)

Lower to Pri-2, since real world usage of InsertNewlineInQuotedContent is low:

Regarding #2, it is a strange that m_endingSelction is orphan.

DOM tree at assertion:
*#document	000003D5255C2570 (editable)
	HTML	000003D5255C3170 (editable)
		HEAD	000003D5255C31D8 (editable)
			SCRIPT	000003D5255C3240 (editable)
				#text	000003D5255C32B8 "...script..."
			#text	000003D5255C3308 "\n  "
			SCRIPT	000003D5255C3358 (editable)
				#text	000003D5255C33D0 "...script.."
		BODY	000003D5255C3470 (editable)
			#text	000003D5255C3870 "Test passes if a DOMCharacterModified event on the textarea does not crash."

Comment 4 by yosin@chromium.org, Mar 25 2016

Status: Started (was: Available)
Summary: InsertNewlineInQuotedContent crashes with orphan ending selection (was: InsertNewlineInQuotedContent crashes)

In review: http://crrev.com/1829343002

Project Member

Comment 5 by ClusterFuzz, Apr 20 2016

ClusterFuzz has detected this issue as fixed in range 388458:388479.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5941312133529600

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000048
Crash State:
  blink::CompositeEditCommand::insertNodeAfter
  blink::BreakBlockquoteCommand::doApply
  blink::CompositeEditCommand::applyCommandToComposite
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=136263:136271
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=388458:388479

Minimized Testcase (0.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97DMOtstYC1wD4DHkz_NZjM2kiPSQ46oOSvGvrxMCS_1JRVzfx9dM8IY8Js6TJUFkyH8NY9nn_SYihoKFC9qsC_YL0Own7FfFSkqHsfq-e3VLMddSSiRH2zohdFRnsRx1gXhTjCAcYRdO7YixkX8Ty9G8K_ag

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 6 by yosin@chromium.org, Apr 26 2016

Status: Fixed (was: Started)

Project Member

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

►

Issue 597624 link

Issue metadata

InsertNewlineInQuotedContent crashes with orphan ending selection

Issue description

Comment 1 by ashej...@chromium.org, Mar 24 2016

Comment 1 Deleted

Comment 2 by tkent@chromium.org, Mar 25 2016

Comment 2 Deleted

Comment 3 by yosin@chromium.org, Mar 25 2016

Comment 3 Deleted

Comment 4 by yosin@chromium.org, Mar 25 2016

Comment 4 Deleted

Comment 5 by ClusterFuzz, Apr 20 2016

Comment 5 Deleted

Comment 6 by yosin@chromium.org, Apr 26 2016

Comment 6 Deleted

Comment 7 by sheriffbot@chromium.org, Nov 22 2016

Comment 7 Deleted

Sign in to add a comment