Issue metadata
Sign in to add a comment
|
comparePositions(newEnd, newStart) >= 0 in ApplyStyleCommand.cpp |
||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4872648479997952 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: comparePositions(newEnd, newStart) >= 0 in ApplyStyleCommand.cpp blink::ApplyStyleCommand::updateStartEnd blink::ApplyStyleCommand::applyBlockStyle Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696 Minimized Testcase (1.39 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97FwKncUM-rQD3Pac5L7VV2HAkvFal6fxRQzwPhfYqcYEdSHq5Oek05z__Mqi-ZP8mfxjF_OxESx0S2PAAEq-g5-jZTCBmz9uHe74WQV7Z4r9ee2BBXPlDQ3VkZ2lRVUTdmU_gRi8Q0VsBSqkDZDdykC5kF8A?testcase_id=4872648479997952 Filer: rnimmagadda See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 27 2016
DOM tree at DCHECK
m_endingSelection.showTreeForThis()
BODY 000003C5665A3288 (editable)
FIELDSET 000003C5665A32F0 (editable)
#text 000003C5665A33B0 "\n"
SCRIPT 000003C5665A3170 (editable)
#text 000003C5665A31E8 "\n var iCleanup = setInterval({\n });\nvar event_handler_217_DOMNodeRemoved_active = false;\nfunction event_handler_217_DOMNodeRemoved() {\n var oElement = event.srcElement;\n if (!oElement.parentNode) {\n var oParent = ({\n })();\n }\n document.execCommand('RemoveFormat');\n}\ndocument.addEventListener("DOMNodeRemoved", event_handler_217_DOMNodeRemoved);\nfunction event_handler_218_select() {\n}\nwindow.onload=function(){\n var oSelection=window.getSelection();\n var oElement = (function(){\n var aoElements = document.getElementsByTagName("*");\n if (aoElements.length) return aoElements[28 % aoElements.length];\n })();\n if (!oElement) oElement = ({\n })();\n document.execCommand("SelectAll")\n if (oRange) {\n var oInsertedElement = ({\n })();\n }\n var oElement = (function(){\n })();\n if (!oElement) oElement = document.createElementNS('http://www.w3.org/2000/svg', 'script');\n if (oElement.parentNode) {\n }\n document.designMode = {"off":"on"}[doc
ument.designMode]\n if (oRange) {\n var oInsertedElement = ({\n })();\n }\n var oRange = oSelection.rangeCount ? oSelection.getRangeAt(66 % oSelection.rangeCount) : null;\n var oInsertedElement = (function(){\n var aoElements = document.getElementsByTagName("*");\n if (aoElements.length) return aoElements[98 % aoElements.length];\n })();\noRange.insertNode(oInsertedElement)\n var oParentElement = ({\n })();\n};\n"
SE SELECT 000003C5665A3400 (editable)
SE #shadow-root 000003C5665A3560
SE CONTENT 000003C5665A3630
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 6 2017
Could someone please update this issue?. Thank you
,
May 7 2017
ClusterFuzz testcase 4872648479997952 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by rnimmagadda@chromium.org
, Jul 26 2016Labels: -Pri-1 -Type-Bug M-54 findit-wrong Te-Logged Pri-2 Type-Bug-Regression
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)