New issue
Advanced search Search tips

Issue 628339 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

InsertHTML with display:flex crashes

Project Member Reported by ClusterFuzz, Jul 14 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5779519978078208

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false in ReplaceSelectionCommand.cpp
  blink::ReplaceSelectionCommand::mergeEndIfNeeded
  blink::ReplaceSelectionCommand::doApply
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=399276:400924

Minimized Testcase (0.34 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96xkbTn05l_-wNu76-VDK4yaBfHEIWxCWnAJw8-5J5Bfbt9_4XKKOh0jUBVURQC78OENxDBF-84AvgcKAjnqy8N-F0EumFWTeQANbyY3UijhOopamYEshUSUQ8_VQfYdZd-oQkEj-CaaQXi8w0NKcLXWrRbsw?testcase_id=5779519978078208
<style>
   div {
	background: blue;
	display: flex;
}
span {
	background: white;
  </style>
  <div contenteditable="true" id="div">
   Everything n this editable region should be in one paragraph.
  <script>
text = div.firstChild;
sel = window.getSelection();
sel.collapse(text);
document.execCommand("InsertHTML", false, "<div>i</div>")
</script>


Filer: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmohammad@chromium.org, Jul 14 2016

Owner: yosin@chromium.org
Status: Assigned (was: Available)
CL :
https://chromium.googlesource.com/chromium/src/+/673555a5d9c7a1bc26dc67813e1110cdc2e07268%5E%21/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommand.cpp

yosin@ could you please look into this. Thanks

Comment 2 by yosin@chromium.org, Aug 2 2016

Components: Blink>Editing>Command
Labels: -Pri-1 -ClusterFuzz Clusterfuzz Pri-2
Owner: ----
Status: Available (was: Assigned)
Summary: InsertHTML with display:flex crashes (was: false in ReplaceSelectionCommand.cpp)
Lower to Pri-2 since real world usage of insertHTML is low and usage of display:flex without flex boxes is unusual.
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by yosin@chromium.org, May 22 2017

Labels: Pri-3
Bulk set to Pri-3 for cluster fuzz bugs.
Since these issues are happens with unusual HTML.
Project Member

Comment 5 by ClusterFuzz, Jun 21 2017

Status: WontFix (was: Available)
ClusterFuzz testcase 5779519978078208 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment