InsertNewlineInQuotedContent crashes with orphan ending selection |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5941312133529600 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000048 Crash State: blink::CompositeEditCommand::insertNodeAfter blink::BreakBlockquoteCommand::doApply blink::CompositeEditCommand::applyCommandToComposite Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=136263:136271 Minimized Testcase (0.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97DMOtstYC1wD4DHkz_NZjM2kiPSQ46oOSvGvrxMCS_1JRVzfx9dM8IY8Js6TJUFkyH8NY9nn_SYihoKFC9qsC_YL0Own7FfFSkqHsfq-e3VLMddSSiRH2zohdFRnsRx1gXhTjCAcYRdO7YixkX8Ty9G8K_ag Filer: ashejole See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 25 2016
At the beginning of BreakBlockquoteCommand::doApply, endingSelection() is in an orphan tree.
,
Mar 25 2016
Lower to Pri-2, since real world usage of InsertNewlineInQuotedContent is low: Regarding #2, it is a strange that m_endingSelction is orphan. DOM tree at assertion: *#document 000003D5255C2570 (editable) HTML 000003D5255C3170 (editable) HEAD 000003D5255C31D8 (editable) SCRIPT 000003D5255C3240 (editable) #text 000003D5255C32B8 "...script..." #text 000003D5255C3308 "\n " SCRIPT 000003D5255C3358 (editable) #text 000003D5255C33D0 "...script.." BODY 000003D5255C3470 (editable) #text 000003D5255C3870 "Test passes if a DOMCharacterModified event on the textarea does not crash."
,
Mar 25 2016
In review: http://crrev.com/1829343002
,
Apr 20 2016
ClusterFuzz has detected this issue as fixed in range 388458:388479. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5941312133529600 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000048 Crash State: blink::CompositeEditCommand::insertNodeAfter blink::BreakBlockquoteCommand::doApply blink::CompositeEditCommand::applyCommandToComposite Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=136263:136271 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=388458:388479 Minimized Testcase (0.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97DMOtstYC1wD4DHkz_NZjM2kiPSQ46oOSvGvrxMCS_1JRVzfx9dM8IY8Js6TJUFkyH8NY9nn_SYihoKFC9qsC_YL0Own7FfFSkqHsfq-e3VLMddSSiRH2zohdFRnsRx1gXhTjCAcYRdO7YixkX8Ty9G8K_ag See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 26 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ashej...@chromium.org
, Mar 24 2016Components: Blink>Editing
Labels: findit-wrong M-50 Te-Logged
Owner: yosin@chromium.org
Status: Assigned (was: Available)