InputMethodController::getSelectionOffsets() should return empty for display:none |
|||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5385491528024064 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: CHECK failed: start <= end in PlainTextRange.cpp blink::PlainTextRange::PlainTextRange blink::PlainTextRange::create Minimized Testcase (0.42 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv96td2NjAtxYH5Vi7_FznBCqdteXNEmp2dexZ9Il9tiTEs6NuIA-jzDuKca62BramOGonmQMRfSCXokb0MQhsu8Pd6pCoMzWbfx753qijxRzbfB18ZX_1BaFuA0FXmFZzN2mE8GY6l4-KAZtqK0dQKnicqkP0g <div id="test" contenteditable></div> <pre> <script> function runSingleTest( isStart) { test.innerHTML = '<span>hello</span> world'; var selection = window.getSelection(); selection.setBaseAndExtent(test.firstChild.firstChild, 2, test.lastChild, 3); } function runTestPairs() { runSingleTest(); } function runTests() { runTestPairs(); } runTests(); test.style.display = 'none'; </script> Filer: manoranjanr See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 25 2016
Route to Editing triage
,
Apr 26 2016
Since FrameSelection depends on layout tree, clients of FrameSelection should check layout objects available for selection. In the sample, FrameSelection has no layout objects, they are removed by |test.style.display='none'|
,
Apr 26 2016
Lower to Pri-2, the scenario to reproduce isn't usual.
,
Jul 4 2016
,
Jul 28 2016
ClusterFuzz has detected this issue as fixed in range 408050:408071. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5385491528024064 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: start <= end in PlainTextRange.cpp blink::PlainTextRange::PlainTextRange blink::PlainTextRange::create Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=283188:283414 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=408050:408071 Minimized Testcase (0.42 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94s9uPiSAkVuXWWB9mykr4ID1rJuENtziZgrjk9ZLdUYytCH-mzJPfPRW4gqLFkppjZf42i4t9ZBjRYFd8LfEOiN-dwm9DtD_65MQTpPSE3g24MR6wGRqDlC4Uwq704kjDeAzkiYznx4m7X60rd1oVYK6mNFQ?testcase_id=5385491528024064 <div id="test" contenteditable></div> <pre> <script> function runSingleTest( isStart) { test.innerHTML = '<span>hello</span> world'; var selection = window.getSelection(); selection.setBaseAndExtent(test.firstChild.firstChild, 2, test.lastChild, 3); } function runTestPairs() { runSingleTest(); } function runTests() { runTestPairs(); } runTests(); test.style.display = 'none'; </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 28 2016
ClusterFuzz testcase is verified as fixed, closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Oct 12 2016
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by manoranj...@chromium.org
, Apr 25 2016Components: Blink>Architecture Tools>Test>FindIt>NoResult
Labels: Te-Logged
Owner: koten...@yandex-team.ru
Status: Assigned (was: Available)