New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 626730 link

Starred by 1 user
Status: Fixed
Owner:
yosin@chromium.org
Closed: Jul 2016
Cc:
mummare...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

DCHECK failure in blink::VisiblePositionTemplate<>::create()

Project Member Reported by ClusterFuzz, Jul 8 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5711514707427328

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  positionWithAffinity.position().inShadowIncludingDocument(). #text ""@1/TextAffi
  blink::VisiblePositionTemplate<>::create
  blink::createVisiblePosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=389884:390111

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97gcQEcZQh4dKynNPQI--q7E36ToveCeeEqMHQ3bIQu_By2rDzIW-P6q9Gp8MK-QntQZeEB8VkAirfAz-IOkV1LR9XEhoSCkj8XiUo5FjjK32LeuuzjDVhhBnxiuRhUnEgCSQxgLpjjLhssiPyg_PQdec6RQw?testcase_id=5711514707427328
<body>
Pass. WebKit didn't crash.<ul><br><br><script>
    document.execCommand("SelectAll");
    document.designMode = "on";
    document.execCommand("JustifyRight");
</script>


Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Jul 8 2016

Labels: Needs-triage Te-Logged M-52

Comment 2 by thestig@chromium.org, Jul 16 2016

Labels: -M-52 -Needs-triage
Owner: yosin@chromium.org
Status: Untriaged (was: Available)
Summary: DCHECK failure in blink::VisiblePositionTemplate<>::create() (was: positionWithAffinity.position().inShadowIncludingDocument(). #text ""@1/TextAffi)

Comment 3 by yosin@chromium.org, Jul 21 2016

Labels: -ClusterFuzz Clusterfuzz
Status: Started (was: Untriaged)
DOM tree at assertion:
m_endingSelection.showTreeForThis()
BODY	00000263B7443160 (editable)
	DIV	00000263B7443418 STYLE="text-align: right;" (editable)
SE		#text	00000263B7443610 "Pass. WebKit didn't crash."
	UL	00000263B7443218 (editable)
		BR	00000263B74432E8 (editable)
		SCRIPT	00000263B7443350 (editable)
			#text	00000263B74433C8 "... script ..."

Comment 4 by yosin@chromium.org, Jul 21 2016 

In review: http://crrev.com/2170823002
Project Member

Comment 5 by bugdroid1@chromium.org, Jul 22 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/afbdbad679e6e40634a15ca8d91aaf0d46bcaec3

commit afbdbad679e6e40634a15ca8d91aaf0d46bcaec3
Author: yosin <yosin@chromium.org>
Date: Fri Jul 22 03:46:42 2016

Make ApplyStyleCommand::applyBlockStyle() to use connected position only

This patch makes |ApplyStyleCommand::applyBlockStyle()| to use connected
position of |paragraphStart| by checking whether |paragraphStart| is connected
or not after calling |moveParagraphContentsToNewBlockIfNecessary()| which makes
anchor node of |paragraphStart| detached from document.

This patch also introduces |DCHECK(paragraphStart.isConnected()| to catch
other cases in future.

In  crbug.com/626730 , we call |endOfParagraph()| with disconnected position in
|paragraphStart| then we hit connected position |DCHECK| in |VisiblePosition|
constructor.

BUG= 626730 
TEST=LayoutTests/editing/execCommand/apply_style/justify_right_ul_br_crash.html

Review-Url: https://codereview.chromium.org/2170823002
Cr-Commit-Position: refs/heads/master@{#407043}

[add] https://crrev.com/afbdbad679e6e40634a15ca8d91aaf0d46bcaec3/third_party/WebKit/LayoutTests/editing/execCommand/apply_style/justify_right_ul_br_crash.html
[modify] https://crrev.com/afbdbad679e6e40634a15ca8d91aaf0d46bcaec3/third_party/WebKit/Source/core/editing/commands/ApplyStyleCommand.cpp

Comment 6 by yosin@chromium.org, Jul 22 2016

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Jul 23 2016 

ClusterFuzz has detected this issue as fixed in range 406809:407197.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5711514707427328

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  positionWithAffinity.position().inShadowIncludingDocument(). #text ""@1/TextAffi
  blink::VisiblePositionTemplate<>::create
  blink::createVisiblePosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=389884:390111
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=406809:407197

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97gcQEcZQh4dKynNPQI--q7E36ToveCeeEqMHQ3bIQu_By2rDzIW-P6q9Gp8MK-QntQZeEB8VkAirfAz-IOkV1LR9XEhoSCkj8XiUo5FjjK32LeuuzjDVhhBnxiuRhUnEgCSQxgLpjjLhssiPyg_PQdec6RQw?testcase_id=5711514707427328
<body>
Pass. WebKit didn't crash.<ul><br><br><script>
    document.execCommand("SelectAll");
    document.designMode = "on";
    document.execCommand("JustifyRight");
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment