New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 630427 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Dec 2016
Cc:
mummare...@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 2
Type: Bug



Sign in to add a comment

Outdent command with visibility:collapsed crash

Project Member Reported by ClusterFuzz, Jul 21 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6250023604191232

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isEndOfParagraph(endOfParagraphToMove). #text "\n   manifest=\"resources/manifes
  blink::CompositeEditCommand::moveParagraph
  blink::IndentOutdentCommand::outdentParagraph
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696

Minimized Testcase (0.40 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95s-jKc5IpjdQFd8sBI_yoiiA_olb8IEq5GHX6HppgmInTYHf-DSfNnEOzeu9aXTTVuh4iqgE-jAnKSWyuo9OK8XyhLWltXb-cC-YQb1NKvamrGhSV5G0NcMczZ2Mc1K0omkKn2oDeuCtLPQ1KkQHQvBoEzQg?testcase_id=6250023604191232
<style>
   * {
    visibility: visible;
}
*:only-of-type {
    visibility: collapse;
</style>
  <script>
onload = function() {
    document.designMode = 'on';
    var __v_0 = document.querySelector('blockquote');
    getSelection().collapse(__v_0, 2);
    document.execCommand('Outdent');
};
  </script>
 <blockquote>
   <table>
    <table>
    </table>
   manifest="resources/manifest-containing-itself.manifest"


Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Jul 21 2016

Labels: Needs-triage Te-Logged M-52

Comment 2 by pucchakayala@chromium.org, Jul 22 2016

Components: Blink
Labels: -Needs-triage
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
Suspecting the following:
https://chromium.googlesource.com/chromium/src/+/4e3c97ea19fef8e39373f6ebd2b5005403107b84

@yosin, can you please take a look at this issue ?

Comment 3 by dtapu...@chromium.org, Jul 24 2016

Components: -Blink Blink>Editing

Comment 4 by yosin@chromium.org, Jul 25 2016

Components: -Blink>Editing Blink>Editing>Command
Labels: -Pri-1 OS-Windows Pri-2
Owner: ----
Status: Available (was: Assigned)
Summary: Outdent command with visibility:collapsed crash (was: isEndOfParagraph(endOfParagraphToMove). #text "\n manifest=\"resources/manifes)
Lower to Pri-2, since real world usage of Outdent + visibility:collapsed is low.
Project Member

Comment 5 by ClusterFuzz, Jul 28 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6029330283233280

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isEndOfParagraph(endOfParagraphToMove). #text "\n   Should not be red\n  "@4/Tex
  blink::CompositeEditCommand::moveParagraph
  blink::IndentOutdentCommand::outdentParagraph
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696

Minimized Testcase (0.39 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv978QK7h5VDgJXXYg-ESwwnKV3TfEjtikVzcIz17bABCqCJp0Ufw36ZElSB3yB0k0wZ3M5LQuNIicBA6f0FdAYQBEFPNG6gzQ0BZAyw6GOnNxUqUPolWa68kK5ataTACMVnxDnBgNbbzOO108kmq_evgBSZzCA?testcase_id=6029330283233280
<style>
   * {
    visibility: visible;
}
*:only-of-type {
    visibility: collapse;
  </style>
  <script>
onload = function() {
    document.designMode = 'on';
    var __v_0 = document.querySelector('blockquote');
    getSelection().collapse(__v_0, 2);
    document.execCommand('Outdent');
};
</script>
  <blockquote>
   <table>
     <table>
   </table>
  <div>
   Should not be red
  </div>
  <div>


Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 6 by ClusterFuzz, Jul 28 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6622431309725696

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isStartOfParagraph(startOfParagraphToMove). #text "\n   This test passes if it d
  blink::CompositeEditCommand::moveParagraph
  blink::IndentOutdentCommand::outdentParagraph
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696

Minimized Testcase (0.47 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94b6KAkUdfHTjUEkJIQBOt84TUELg0Pc6bc48ySYSRoiTjvCV0IQPxpoIz0sxEouAuDjZcQPBKHuma-SDAZs6b7QgrBkaRUqq_jkmmA6cLKCh5jx9ymCfjo6ea9l4qT3e2Or7JakD9bK0vm_rjriCIolu4K1w?testcase_id=6622431309725696
<div>
   This test passes if it does not crash or trip ASAN. See  http://crbug.com/315889 
  </div>
  <style>
   * {
    visibility: visible;
}
*:only-of-type {
    visibility: collapse;
  </style>
  <script>
onload = function() {
    document.designMode = 'on';
    var __v_3 = document.querySelector('blockquote');
    getSelection().collapse(__v_3, 2);
    document.execCommand('Outdent');
};
  </script>
  <blockquote>
   <table>
   <table>
   </table>
  </blockquote>
   <div>


Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 7 by ClusterFuzz, Oct 7 2016 

ClusterFuzz has detected this issue as fixed in range 423391:423439.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6029330283233280

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isEndOfParagraph(endOfParagraphToMove). #text "\n   Should not be red\n  "@4/Tex
  blink::CompositeEditCommand::moveParagraph
  blink::IndentOutdentCommand::outdentParagraph
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=423391:423439

Minimized Testcase (0.39 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv978QK7h5VDgJXXYg-ESwwnKV3TfEjtikVzcIz17bABCqCJp0Ufw36ZElSB3yB0k0wZ3M5LQuNIicBA6f0FdAYQBEFPNG6gzQ0BZAyw6GOnNxUqUPolWa68kK5ataTACMVnxDnBgNbbzOO108kmq_evgBSZzCA?testcase_id=6029330283233280
<style>
   * {
    visibility: visible;
}
*:only-of-type {
    visibility: collapse;
  </style>
  <script>
onload = function() {
    document.designMode = 'on';
    var __v_0 = document.querySelector('blockquote');
    getSelection().collapse(__v_0, 2);
    document.execCommand('Outdent');
};
</script>
  <blockquote>
   <table>
     <table>
   </table>
  <div>
   Should not be red
  </div>
  <div>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 9 by ClusterFuzz, Dec 22 2016

Status: WontFix (was: Available)
ClusterFuzz testcase 6250023604191232 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment