New issue
Advanced search Search tips

Issue 628021 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Oct 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 1
Type: Bug



Sign in to add a comment

Outdent command with visibility:collapsed hits DCHEK

Project Member Reported by ClusterFuzz, Jul 13 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5199607084875776

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isEndOfParagraph(endOfParagraphToMove). INPUT id="search1"@beforeAnchor/TextAffi
  blink::CompositeEditCommand::moveParagraph
  blink::IndentOutdentCommand::outdentParagraph
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696

Minimized Testcase (0.38 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv948HDSEIcNnc5GUTfQfubpqLyJ7Tnb357eNO4orfC9BEk9b5It1YstRyPmEcFfsrsaOFZx2BZdiEyuXkbnZfcbtb0cKN3aiX_OyTWgfgFKb7OmjtWuP04ZIpbFRkY_9JOZq2xT6ibqQyJdsLLrEYcoFslCYkA?testcase_id=5199607084875776
<style>
   * {
    visibility: visible;
}
*:only-of-type {
    visibility: collapse;
  </style>
  <script>
onload = function() {
    document.designMode = 'on';
    var __v_0 = document.querySelector('blockquote');
    getSelection().collapse(__v_0, 2);
    document.execCommand('Outdent');
};
  </script>
  <blockquote>
   <table>
   <table>
   </table>
  <input id="search1">
  <input>


Filer: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: tkent@chromium.org
Status: Assigned (was: Available)
suspected cl : https://chromium.googlesource.com/chromium/src/+/4021ae18b9410d496adc92077e00672253f3876d%5E%21/third_party/WebKit/Source/core/editing/commands/CompositeEditCommand.cpp
 tkent @ could you please look into this. thank you !

Comment 2 by tkent@chromium.org, Jul 13 2016

Components: Blink>Editing
Owner: ----
Status: Untriaged (was: Assigned)
The suspected CL didn't change any code logic.
Route to Editing triage.

Comment 3 by yosin@chromium.org, Jul 14 2016

Components: -Blink>Editing Blink>Editing>Command
Labels: OS-Windows
Status: Available (was: Untriaged)
Summary: Outdent command with visibility:collapsed hits DCHEK (was: isEndOfParagraph(endOfParagraphToMove). INPUT id="search1"@beforeAnchor/TextAffi)
DOM Tree at DCHECK
BODY	00000240D9F632E8 (editable)
	BLOCKQUOTE	00000240D9F63AC8 (editable)
		#text	00000240D9F633B8 "\n   "
		TABLE	00000240D9F63408 (editable)
			#text	00000240D9F63508 "\n   "
	BR	00000240D9F63B30 (editable)
	BLOCKQUOTE	00000240D9F63350 (editable)
		TABLE	00000240D9F63488 (editable)
			#text	00000240D9F63558 "\n   "
		#text	00000240D9F635A8 "\n  "
*		INPUT	00000240D9F635F8 ID="search1" (editable)
*			#shadow-root	00000240D9F63700
*				DIV	00000240D9F637D0 ID="inner-editor" (editable)
		#text	00000240D9F63838 "\n  "
		INPUT	00000240D9F63888 (editable)
			#shadow-root	00000240D9F63990
				DIV	00000240D9F63A60 ID="inner-editor" (editable)
Project Member

Comment 4 by ClusterFuzz, Oct 7 2016

ClusterFuzz has detected this issue as fixed in range 423391:423439.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5199607084875776

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isEndOfParagraph(endOfParagraphToMove). INPUT id="search1"@beforeAnchor/TextAffi
  blink::CompositeEditCommand::moveParagraph
  blink::IndentOutdentCommand::outdentParagraph
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=423391:423439

Minimized Testcase (0.38 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv948HDSEIcNnc5GUTfQfubpqLyJ7Tnb357eNO4orfC9BEk9b5It1YstRyPmEcFfsrsaOFZx2BZdiEyuXkbnZfcbtb0cKN3aiX_OyTWgfgFKb7OmjtWuP04ZIpbFRkY_9JOZq2xT6ibqQyJdsLLrEYcoFslCYkA?testcase_id=5199607084875776
<style>
   * {
    visibility: visible;
}
*:only-of-type {
    visibility: collapse;
  </style>
  <script>
onload = function() {
    document.designMode = 'on';
    var __v_0 = document.querySelector('blockquote');
    getSelection().collapse(__v_0, 2);
    document.execCommand('Outdent');
};
  </script>
  <blockquote>
   <table>
   <table>
   </table>
  <input id="search1">
  <input>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Oct 7 2016

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment