DETAILS element (shadow host) make selection crash |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6136552845737984 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000038 Crash State: blink::InlineBoxPosition blink::computeInlineBoxPositionTemplate<blink::EditingA blink::RenderedPosition::RenderedPosition blink::RenderedPosition::RenderedPosition Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=380105:380830 Minimized Testcase (0.42 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94JiTQOu1_z-FP-JYyyN7mRWfxrExlLzDsDqSZpj3QnYahYdyxxZqeRfSgGqt21glgPrk19QkKcgRePtYLJM19Tv43ztsNEk-Rz7dM6DUCSrHhQ-HR7Nz4E34DJgDFb_E1FwyN_iW6QP43w9eG9nLSTDs5e8g <body> <script> var test0=document.body.appendChild(document.createElement("legend")) var test1=document.body.appendChild(document.createElement("details")) var test7=document.body.appendChild(document.createElement("textarea")) test1.style['d\isplay']='inline'; test0.style.setProperty('all','initial'); test0.appendChild(document.createTextNode([15366])) document.execCommand("selectall"); document.designMode = "on" </script> Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jun 9 2016
Moving this nonessential bug to the next milestone. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 10 2016
DCHECK: Check failed: layoutObject. CONTENT id="details-summary"@0
DOM tree at crash:
position.showTreeForThis()
BODY 0000025771D830A0 (editable)
#text 0000025771D83108 "\n"
SCRIPT 0000025771D83158 (editable)
#text 0000025771D831D0 " \nvar test0=document.body.appendChild(document.createElement("legend"))\nvar test1=document.body.appendChild(document.createElement("details"))\nvar test7=document.body.appendChild(document.createElement("textarea"))\ntest1.style['d\\isplay']='inline';\ntest0.style.setProperty('all','initial');\ntest0.appendChild(document.createTextNode([15366]))\ndocument.execCommand("selectall");\ndocument.designMode = "on"\n"
LEGEND 0000025771D83220 STYLE="all: initial;"
#text 0000025771D83A68 "15366"
DETAILS 0000025771D83288 STYLE="display: inline;" (editable)
#shadow-root 0000025771D832F8
* CONTENT 0000025771D83670 ID="details-summary"
SUMMARY 0000025771D833C8 (editable)
#shadow-root 0000025771D83430
DIV 0000025771D83500 ID="details-marker"
CONTENT 0000025771D83568
#text 0000025771D83620 "Details"
DIV 0000025771D83728 ID="details-content" STYLE="display: none;"
CONTENT 0000025771D83790
TEXTAREA 0000025771D83848 (editable)
#shadow-root 0000025771D83930
DIV 0000025771D83A00 ID="inner-editor" (editable)
Flat Tree at crash:
c.m_position.showTreeForThisInFlatTree()
BODY 0000025771D830A0 (editable)
#text 0000025771D83108 "\n"
SCRIPT 0000025771D83158 (editable)
#text 0000025771D831D0 " \nvar test0=document.body.appendChild(document.createElement("legend"))\nvar test1=document.body.appendChild(document.createElement("details"))\nvar test7=document.body.appendChild(document.createElement("textarea"))\ntest1.style['d\\isplay']='inline';\ntest0.style.setProperty('all','initial');\ntest0.appendChild(document.createTextNode([15366]))\ndocument.execCommand("selectall");\ndocument.designMode = "on"\n"
LEGEND 0000025771D83220 STYLE="all: initial;"
#text 0000025771D83A68 "15366"
* DETAILS 0000025771D83288 STYLE="display: inline;" (editable)
* SUMMARY 0000025771D833C8 (editable)
* DIV 0000025771D83500 ID="details-marker"
* #text 0000025771D83620 "Details"
* DIV 0000025771D83728 ID="details-content" STYLE="display: none;"
TEXTAREA 0000025771D83848 (editable)
DIV 0000025771D83A00 ID="inner-editor" (editable)
,
Jun 10 2016
,
Jun 10 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce commit 874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce Author: yosin <yosin@chromium.org> Date: Fri Jun 10 10:38:44 2016 Make flat tree version RenderedPosition constructor to work on flat tree This patch makes flat tree version of |RenderedPosition| constructor to work on flat tree rather than DOM tree to calculate inline box position for flat tree position correctly. Before this patch, flat tree version of |RenderedPosition| constructor uses |toPositionInDOMTree()|, but id doesn't work well for children of shadow root and insertion point, e.g. CONENT elements and SLOT elements. In attached layout test, |RenderedPosition| constructor attempts to compute for CONTENT element in DETAIL element. BUG= 616070 , 618421 TEST=LayoutTests/editing/selection/select_all/select_all_details_crash.html Review-Url: https://codereview.chromium.org/2059663002 Cr-Commit-Position: refs/heads/master@{#399150} [add] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/LayoutTests/editing/selection/select_all/select_all_details_crash.html [modify] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/Source/core/editing/RenderedPosition.cpp
,
Jun 11 2016
ClusterFuzz has detected this issue as fixed in range 399141:399152. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6136552845737984 Fuzzer: attekett_dom_fuzzer Job Type: linux_asan_chrome_chromeos Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000038 Crash State: blink::InlineBoxPosition blink::computeInlineBoxPositionTemplate<blink::EditingA blink::RenderedPosition::RenderedPosition blink::RenderedPosition::RenderedPosition Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=380105:380830 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=399141:399152 Minimized Testcase (0.42 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv94JiTQOu1_z-FP-JYyyN7mRWfxrExlLzDsDqSZpj3QnYahYdyxxZqeRfSgGqt21glgPrk19QkKcgRePtYLJM19Tv43ztsNEk-Rz7dM6DUCSrHhQ-HR7Nz4E34DJgDFb_E1FwyN_iW6QP43w9eG9nLSTDs5e8g <body> <script> var test0=document.body.appendChild(document.createElement("legend")) var test1=document.body.appendChild(document.createElement("details")) var test7=document.body.appendChild(document.createElement("textarea")) test1.style['d\isplay']='inline'; test0.style.setProperty('all','initial'); test0.appendChild(document.createTextNode([15366])) document.execCommand("selectall"); document.designMode = "on" </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jun 13 2016
,
Jun 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce commit 874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce Author: yosin <yosin@chromium.org> Date: Fri Jun 10 10:38:44 2016 Make flat tree version RenderedPosition constructor to work on flat tree This patch makes flat tree version of |RenderedPosition| constructor to work on flat tree rather than DOM tree to calculate inline box position for flat tree position correctly. Before this patch, flat tree version of |RenderedPosition| constructor uses |toPositionInDOMTree()|, but id doesn't work well for children of shadow root and insertion point, e.g. CONENT elements and SLOT elements. In attached layout test, |RenderedPosition| constructor attempts to compute for CONTENT element in DETAIL element. BUG= 616070 , 618421 TEST=LayoutTests/editing/selection/select_all/select_all_details_crash.html Review-Url: https://codereview.chromium.org/2059663002 Cr-Commit-Position: refs/heads/master@{#399150} [add] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/LayoutTests/editing/selection/select_all/select_all_details_crash.html [modify] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/Source/core/editing/RenderedPosition.cpp
,
Oct 12 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Jun 8 2016Owner: yosin@chromium.org
Status: Assigned (was: Available)