New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 631384 link

Starred by 1 user
Status: Fixed
Owner: ----
Closed: Dec 2016
Cc:
msrchandra@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Regression



Sign in to add a comment

InsertHTML crashes with bogus SPAN.

Project Member Reported by ClusterFuzz, Jul 26 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6616861995433984

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000003
Crash State:
  blink::hasEditableStyle
  blink::hasEditableStyle
  blink::CompositeEditCommand::insertNodeBefore
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=407005:407057

Minimized Testcase (0.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv9608PLSSJcl83Z7jPVjgSqMCOp2Ee2oWkdU0IGqE8uT-JwiHgVCa3eSV_cNjG-9U0vqbZ8DMLKiKcfsu3vJHmV_gkRrFkdmfMcBtPsfHXawhe0ddJsfoBbIi5IVrNL1qDlkQxJD5WctHHmQO7GjiIK3BMqK-w?testcase_id=6616861995433984

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by rnimmagadda@chromium.org, Jul 26 2016

Components: Blink>Editing Tools>Test>FindIt>CorrectResult
Labels: -Pri-1 -Type-Bug M-54 Findit-for-crash Te-Logged Pri-2 Type-Bug-Regression
Owner: yoichio@chromium.org
Status: Assigned (was: Untriaged)
Suspecting:

Author: yoichio
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/d65d16a817f1f0522c93bc2471d1a62e37285f3e
Time: Fri Jul 22 03:41:12 2016
Lines 604 of file Node.cpp which potentially caused crash are changed in this cl (frame #2, "content_shell!blink::hasEditableStyle+0x6a").

Lines 324 of file CompositeEditCommand.cpp which potentially caused crash are changed in this cl (frame #3, "content_shell!blink::CompositeEditCommand::insertNodeBefore+0x33").

Files EditorCommand.cpp, ReplaceSelectionCommand.cpp are changed in this cl (and is part of stack frame #6, "content_shell!blink::executeInsertFragment+0x20 ")
Minimum distance from crash line to modified line: 0. (file: Node.cpp, crashed on: 604, modified: 604).

@yoichio: Could you please look into this issue.

Thank you.

Comment 2 by yosin@chromium.org, Jul 27 2016

Components: -Blink>Editing Blink>Editing>Command
Owner: ----
Status: Available (was: Assigned)
Summary: InsertHTML crashes with bogus SPAN. (was: Crash in blink::hasEditableStyle)
It seems DIV inside SPAN causes insertHTML to crash.

DOM tree at DCHECK:

m_endingSelection.showTreeForThis()
BODY	0000023809683170
	DIV	00000238096831D8 (editable) (focused)
		#text	0000023809683240 "\n   "
		B	0000023809683310 ID="test" (editable)
			#text	00000238096837E0 "\n             a"
			DIV	00000238096835A0 (editable)
				#text	0000023809683608 "foo"
			DIV	00000238096836C0 (editable)
				#text	0000023809683728 "bar"
SE			#text	00000238096833C8 "ll 79 news articles\n  "
			SCRIPT	0000023809683418 (editable)
				#text	0000023809683490 "... script ..."
		TABLE	0000023809683290 (editable)
			#text	0000023809683378 "\n
Project Member

Comment 3 by ClusterFuzz, Jul 27 2016

Labels: Stability-Memory-AddressSanitizer
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5217676691767296

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::hasEditableStyle
  blink::hasEditableStyle
  blink::CompositeEditCommand::insertNodeBefore
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=406399:406472

Minimized Testcase (0.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95rQUz0ojWOvQ6uLDTFdrchzi2-49QWsBYH5UticgxNgFKliibgtTgToK2gYoYU8jDCU23VKULE5ZTtRh36GTTY3r5DFUrLm9oQ7e1elV8sbW6ZYWRLPVYUXrq5wA3Rm-lhVBBLIXYvgUbhGhL8mzLxpPzu-Q?testcase_id=5217676691767296

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 4 by yosin@chromium.org, Jul 28 2016 

 Issue 631991  has been merged into this issue.
Project Member

Comment 5 by ClusterFuzz, Jul 28 2016 

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4576607155257344

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::hasEditableLevel
  blink::hasEditableStyle
  blink::CompositeEditCommand::insertNodeBefore
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=406399:406472

Minimized Testcase (0.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97AJ8Db3AJXjD3jgrdz-Whq-z91Dqbk_QguB9Zf2OWQ0khn3Bhd4gseFXyNn2Eb_TBIRR6Z-mDkAHk4FsMOIkCzUsjVth8051Wa1Gz9swyc-449M9LkTY7FAPWL6PNa7t7XHBhL8EwdotXsNNgUtNSA-62KpQ?testcase_id=4576607155257344

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
Project Member

Comment 6 by ClusterFuzz, Aug 3 2016 

ClusterFuzz has detected this issue as fixed in range 409147:409160.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4576607155257344

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::hasEditableLevel
  blink::hasEditableStyle
  blink::CompositeEditCommand::insertNodeBefore
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=406399:406472
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=409147:409160

Minimized Testcase (0.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97AJ8Db3AJXjD3jgrdz-Whq-z91Dqbk_QguB9Zf2OWQ0khn3Bhd4gseFXyNn2Eb_TBIRR6Z-mDkAHk4FsMOIkCzUsjVth8051Wa1Gz9swyc-449M9LkTY7FAPWL6PNa7t7XHBhL8EwdotXsNNgUtNSA-62KpQ?testcase_id=4576607155257344

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Aug 3 2016 

ClusterFuzz has detected this issue as fixed in range 409147:409160.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5217676691767296

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::hasEditableStyle
  blink::hasEditableStyle
  blink::CompositeEditCommand::insertNodeBefore
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=406399:406472
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=409147:409160

Minimized Testcase (0.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95rQUz0ojWOvQ6uLDTFdrchzi2-49QWsBYH5UticgxNgFKliibgtTgToK2gYoYU8jDCU23VKULE5ZTtRh36GTTY3r5DFUrLm9oQ7e1elV8sbW6ZYWRLPVYUXrq5wA3Rm-lhVBBLIXYvgUbhGhL8mzLxpPzu-Q?testcase_id=5217676691767296

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by msrchandra@chromium.org, Dec 12 2016

Cc: msrchandra@chromium.org
Status: Fixed (was: Available)
Changing the status to Fixed as per ClusterFuzz has detected the issue as fixed in the regressed range in Comment# 7.
Please undo if that is not the case.
Thank You.

Sign in to add a comment