New issue
Advanced search Search tips

Issue 619876 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jul 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 2
Type: Bug



Sign in to add a comment

user-select:all should not make elements not editable

Project Member Reported by ClusterFuzz, Jun 14 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4535992346476544

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000008
Crash State:
  blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >::lastPos
  blink::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded
  blink::ApplyBlockElementCommand::formatSelection
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=395786:395857

Minimized Testcase (0.29 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96C-FGmMqFThlW9VjyEn24_Ai3jtsB5I4oj4G4YdFY9h8g3Zadbwf76rdvuNCZVKW8frX3lAvhzTDLhtO2C5QlD6t-dqdcCU8aa1ZU24LDCL2tEO-rSES8xiy6KvNW9febIIhn_E__Q7ZyLnveQYaVY_M4G9w
<style>body {
    }
pre {
    -webkit-user-select: all;
</style><script>
function fuzz() {
document.designMode = 'on';
  document.execCommand("selectAll");
  document.execCommand("FormatBlock",false,"footer");
}
 setTimeout(fuzz); </script>Test:
<pre>!DOCTYPE HTML&gt;
</pre>
Expected result: <span


Filer: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Components: Blink>DOM Tools>Test>FindIt>CorrectResult
Labels: findit-for-crash Te-Logged M-53
Owner: yosin@chromium.org
Status: Assigned (was: Available)
Suspected CLs:
===================
No CL in the regression range changes the crashed files. The result is the blame information.

Author: mjs@apple.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/554c7634cddfec7925865257d362fa718c34ac3a
Time: Thu May 06 22:41:15 2010
The CL last changed line 748 of file Node.h, which is stack frame 0.

Author: commit-queue@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a617e8a70e2f33152f9b00a7f6e86cd8ba8a29b5
Time: Sat Apr 21 00:18:20 2012
The CL last changed line 245 of file Node.h, which is stack frame 1.

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b3a7cd0489e05c4af2fc8cecd51b20b9818a348f
Time: Fri May 20 08:20:51 2016
The CL last changed line 448 of file Position.cpp, which is stack frame 2.

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f0145d429f3950ea3e34088d5d600543af2adbc9
Time: Thu May 19 09:49:19 2016
The CL last changed line 251 of file ApplyBlockElementCommand.cpp, which is stack frame 3.

Author: rniwa@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b9221c12f50385bd2d79b424105f4f0aee133f15
Time: Thu Oct 07 23:55:00 2010
The CL last changed line 139 of file ApplyBlockElementCommand.cpp, which is stack frame 4.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 65 of file FormatBlockCommand.cpp, which is stack frame 5.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f6bd2b6a8e6e4858afd1f1b23d768030a01af69
Time: Wed Feb 10 02:54:06 2016
The CL last changed line 92 of file ApplyBlockElementCommand.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>DOM

=================================
Currently its impacting the Head.
From the above Change list suspecting the changes made to ApplyBlockElementCommand.cpp, which is stack frame 3.
Suspect : https://codereview.chromium.org/1994043002
yosin@ : Could you please take a look into this if its related to your change.

Comment 2 by yosin@chromium.org, Jun 27 2016

Components: -Blink>DOM Blink>Editing>Command
Labels: -Pri-1 OS-Windows Pri-2
Owner: ----
Status: Available (was: Assigned)
Summary: FormatBlock command crashes with PRE element (was: Crash in blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >::lastPos)

Comment 3 by yosin@chromium.org, Jul 5 2016

Owner: yosin@chromium.org
Status: Started (was: Available)
The root cause is ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded() attempt to split text node in un-editable container node.

Comment 4 by yosin@chromium.org, Jul 5 2016

Owner: yoichio@chromium.org
Status: Assigned (was: Started)
Summary: user-select:all should not make elements not editable (was: FormatBlock command crashes with PRE element)
The root cause is elements which have user-select:all aren't editable.
In below example, PRE element should be editable.

Minimal test case:

<!doctype html>
<div contenteditable id="sample">
foo
<pre style="-webkit-user-select: all">bar
</pre>
baz
</div>
<script>
getSelection().selectAllChildren(document.getElementById('sample'));
document.execCommand('FormatBlock', false, 'h1');
</script>

Layout Tree: PRE should be editable
BODY	0000016CC90C3100
	DIV	0000016CC90C3168 ID="sample" (editable) (focused)
		H1	0000016CC90C3440 (editable)
SE			#text	0000016CC90C34A8 "\nfoo\n"
		PRE	0000016CC90C3220 STYLE="-webkit-user-select: all"
			#text	0000016CC90C3288 "bar\n"
		#text	0000016CC90C32D8 "\nbaz\n"
	#text	0000016CC90C3328 "\n"
	SCRIPT	0000016CC90C3378
		#text	0000016CC90C33F0 "\ngetSelection().selectAllChildren(document.getElementById('sample'));\ndocument.execCommand('FormatBlock', false, 'h1');\n"

Project Member

Comment 5 by sheriffbot@chromium.org, Jul 5 2016

Labels: -M-53 M-54 MovedFrom-53
Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 6 by ClusterFuzz, Jul 6 2016

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4535992346476544

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000008
Crash State:
  blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >::lastPos
  blink::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded
  blink::ApplyBlockElementCommand::formatSelection
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=395786:395857

Minimized Testcase (0.29 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96C-FGmMqFThlW9VjyEn24_Ai3jtsB5I4oj4G4YdFY9h8g3Zadbwf76rdvuNCZVKW8frX3lAvhzTDLhtO2C5QlD6t-dqdcCU8aa1ZU24LDCL2tEO-rSES8xiy6KvNW9febIIhn_E__Q7ZyLnveQYaVY_M4G9w?testcase_id=4535992346476544
<style>body {
    }
pre {
    -webkit-user-select: all;
</style><script>
function fuzz() {
document.designMode = 'on';
  document.execCommand("selectAll");
  document.execCommand("FormatBlock",false,"footer");
}
 setTimeout(fuzz); </script>Test:
<pre>!DOCTYPE HTML&gt;
</pre>
Expected result: <span


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Jul 11 2016

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4971179651891200

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >::lastPos
  blink::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded
  blink::ApplyBlockElementCommand::formatSelection
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=283013:284047

Minimized Testcase (0.52 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96JRCMiTKLgL1c6-xtPNtueoC_YTprPCGX0EN-Q0iRJBDjHo0GRiqhQNJ81NvUozdFkQn5f4KRL0v2EIymB6_lXi8fWBMtbxLwRxiZUGRorfh2ZzAlirzko5OE3jcNUi4LcWBzgS9i9JBCeE4VJKI8ZIPKB2A?testcase_id=4971179651891200
<style>#log {
    }
#dom-fuzz-13840002 {
    -webkit-user-select: all;
    }
div {
    all: unset;
</style><script> {
; </script><pre contenteditable="true" id="sample">foo
<div id="dom-fuzz-13840002">bar
</div>
<script style="grid-auto-flow: dense;-webkit-transition-duration: 1ms">
    var container = document.getElementById('sample');
    var range = document.createRange()
    range.setEndAfter(container.lastChild);
    window.getSelection().addRange(range);
    document.execCommand('formatblock', false, '<h1>');
</script>


Filer: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 8 by ClusterFuzz, Jul 15 2016

ClusterFuzz has detected this issue as fixed in range 405185:405467.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4971179651891200

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >::lastPos
  blink::ApplyBlockElementCommand::rangeForParagraphSplittingTextNodesIfNeeded
  blink::ApplyBlockElementCommand::formatSelection
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=283013:284047
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=405185:405467

Minimized Testcase (0.52 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96JRCMiTKLgL1c6-xtPNtueoC_YTprPCGX0EN-Q0iRJBDjHo0GRiqhQNJ81NvUozdFkQn5f4KRL0v2EIymB6_lXi8fWBMtbxLwRxiZUGRorfh2ZzAlirzko5OE3jcNUi4LcWBzgS9i9JBCeE4VJKI8ZIPKB2A?testcase_id=4971179651891200
<style>#log {
    }
#dom-fuzz-13840002 {
    -webkit-user-select: all;
    }
div {
    all: unset;
</style><script> {
; </script><pre contenteditable="true" id="sample">foo
<div id="dom-fuzz-13840002">bar
</div>
<script style="grid-auto-flow: dense;-webkit-transition-duration: 1ms">
    var container = document.getElementById('sample');
    var range = document.createRange()
    range.setEndAfter(container.lastChild);
    window.getSelection().addRange(range);
    document.execCommand('formatblock', false, '<h1>');
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 9 by ClusterFuzz, Jul 15 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment