Document::adoptNode() makes updating Range objects to crash |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4738569096921088 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: newDocument == m_end.container()->document() in Range.cpp blink::Range::updateOwnerDocumentIfNeeded blink::Document::updateRangesAfterNodeMovedToAnotherDocument Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=277990:278311 Minimized Testcase (0.69 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XBuXKsPxrysWhobZ1R5QdTukVX2YCBbRvL3F_WDcvm-XK1Vzg8h2yrSPjg_e3skohC7TsPUpzUgcEHxO1HLHvJoYsq3bKghbbf7JVY7KDR9MQk3vxnIfRUrm0WbsYByGIh1pGJO-n0DRvKsi-x9FirfsCGw?testcase_id=4738569096921088 Filer: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 2 2016
,
Aug 2 2016
,
Aug 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cf85ced047617936b910470b6ee8cfc490892cc7 commit cf85ced047617936b910470b6ee8cfc490892cc7 Author: yosin <yosin@chromium.org> Date: Wed Aug 03 03:52:45 2016 Move Range objects new owner after moving tree rather than during moving tree This patch changes moving |Range| objects to new document after moving all nodes in tree rather than moving nodes to process |Range| in stable state, e.g. both boundary points moved into new document by moving call of |updateRangesAfterNodeMovedToAnotherDocument()| at end of moving tree and renames it to |didMoveTreeToNewDocument()| to denote when it called. BUG= 633340 TEST=run_webkit_unit_tests --gtest_filter=RangeTest.updateOwnerDocumentIfNeeded Review-Url: https://codereview.chromium.org/2194393004 Cr-Commit-Position: refs/heads/master@{#409446} [modify] https://crrev.com/cf85ced047617936b910470b6ee8cfc490892cc7/third_party/WebKit/Source/core/dom/Document.cpp [modify] https://crrev.com/cf85ced047617936b910470b6ee8cfc490892cc7/third_party/WebKit/Source/core/dom/Document.h [modify] https://crrev.com/cf85ced047617936b910470b6ee8cfc490892cc7/third_party/WebKit/Source/core/dom/Node.cpp [modify] https://crrev.com/cf85ced047617936b910470b6ee8cfc490892cc7/third_party/WebKit/Source/core/dom/RangeTest.cpp [modify] https://crrev.com/cf85ced047617936b910470b6ee8cfc490892cc7/third_party/WebKit/Source/core/dom/TreeScopeAdopter.cpp
,
Aug 3 2016
,
Aug 4 2016
ClusterFuzz has detected this issue as fixed in range 409418:409457. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4738569096921088 Fuzzer: inferno_twister Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: newDocument == m_end.container()->document() in Range.cpp blink::Range::updateOwnerDocumentIfNeeded blink::Document::updateRangesAfterNodeMovedToAnotherDocument Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=277990:278311 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=409418:409457 Minimized Testcase (0.69 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XBuXKsPxrysWhobZ1R5QdTukVX2YCBbRvL3F_WDcvm-XK1Vzg8h2yrSPjg_e3skohC7TsPUpzUgcEHxO1HLHvJoYsq3bKghbbf7JVY7KDR9MQk3vxnIfRUrm0WbsYByGIh1pGJO-n0DRvKsi-x9FirfsCGw?testcase_id=4738569096921088 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
||||
►
Sign in to add a comment |
||||
Comment 1 by mummare...@chromium.org
, Aug 1 2016Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)