New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 625314 link

Starred by 3 users
Status: Duplicate
Merged: issue 581038
Owner:
xiaoche...@chromium.org
Closed: Jul 2016
Cc:
jchaffraix@chromium.org
e...@chromium.org
dsinclair@chromium.org
hayato@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

InsertOrderedList command crashes with SVG elements

Project Member Reported by ClusterFuzz, Jul 1 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5177501072752640

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000003
Crash State:
  blink::Node::hasEditableStyle
  blink::CompositeEditCommand::insertNodeBefore
  blink::InsertTextCommand::insertTab
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=403281:403408

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94bilPDzEftMhFLSMOUdVIhqCARUeVGxotvIaqEvkqeGCQ9Njtiu-C-_h3ZuSQAcJ7YKI5eVXPK0l5IR5WyQ9bSnyrrYHoNaaY3m-U67Pn_C2rLAIFbJTj7moCMczq3ZSVrBOSAidKQ50AHflvKrQJzXnwfgsAaB-5K2Jjt5VmkuHd893I?testcase_id=5177501072752640


Additional requirements: Requires Gestures

Filer: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmohammad@chromium.org, Jul 1 2016

Owner: hayato@chromium.org
Status: Assigned (was: Available)
Suspected CL could be
https://chromium.googlesource.com/chromium/src/+/6310c024c916f3f7ea89eb3ffabbc94e59a3c29a%5E%21/third_party/WebKit/Source/core/dom/Node.cpp

Last updated by hayato@ weeks ago , please have a look and reassign if needed.

Thank you.

Comment 2 by hayato@chromium.org, Jul 4 2016

Cc: hayato@chromium.org
Components: Blink>Editing
Owner: yosin@chromium.org
yosin@, could you triage this?

Please feel free to assign this to me if this is a regression caused by my CL.

Comment 3 by yosin@chromium.org, Jul 4 2016

Labels: -Pri-1 Pri-2
Lower to Pri-2, since real world usage of InsertOrderedList command is low.

We hit DCHECK() in VisiblePosition ctor:
DCHECK(positionWithAffinity.position().inShadowIncludingDocument()) << positionWithAffinity;

beforeParagraph.showTreeForThis()
BODY	000001EE514632B8 (editable) (focused)
	OL	000001EE51463E80 (editable)
		LI	000001EE51463EF8 (editable)
*			BR	000001EE51463F60 (editable)
	#text	000001EE51463B28 "K}8yyyyyyyU}8w}{{{{{{{{/////QQQ/"
	HTML	000001EE514639E0 (editable)
	#text	000001EE51463750 "K}8yyyyyyyU}8w}{{{{{{{{/////QQQ/"

Comment 4 by yosin@chromium.org, Jul 5 2016

Components: -Blink>Editing Blink>Editing>Command
Owner: ----
Status: Available (was: Assigned)
Summary: InsertOrderedList command crashes with SVG elements (was: Crash in blink::Node::hasEditableStyle)

Comment 5 by xiaoche...@chromium.org, Jul 5 2016

Labels: -OS-Windows OS-All
Owner: xiaoche...@chromium.org
Status: Assigned (was: Available)
This issue hits exactly the same DCHECK (given in #3) with the same stack trace as  issue 451440  and  issue 581038 . Should be fixable with https://codereview.chromium.org/2127503002.

Comment 6 by xiaoche...@chromium.org, Jul 5 2016

Cc: e...@chromium.org jchaffraix@chromium.org dsinclair@chromium.org
 Issue 451440  has been merged into this issue.

Comment 7 by xiaoche...@chromium.org, Jul 5 2016

Blocking: 581038

Comment 8 by xiaoche...@chromium.org, Jul 6 2016

Blocking: -581038

Comment 9 by xiaoche...@chromium.org, Jul 6 2016

Mergedinto: 581038
Status: Duplicate (was: Assigned)
Project Member

Comment 10 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment