Crash in blink::SpellCheckRequester::didCheckSucceed |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6333805529137152 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000011 Crash State: blink::SpellCheckRequester::didCheckSucceed blink::WebTextCheckingCompletionImpl::didFinishCheckingText SpellCheck::PerformSpellCheck Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=411957:412185 Minimized Testcase (1.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Tft9O78awzQv8Gtb5PqCyD30fivy0PBqzVn-gEa-C4NGkDizxSTFmqa732N66IFErLIJ5-l0MgT0TzsdU4pyO4FQUbRhtzQfmfK24jMNIIfTZbRGJD4yLoQqzYAcIFFUYafvhYRMmoGHl1ro3f-k85RF5_w?testcase_id=6333805529137152 Issue manually filed by: durga.behera See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 23 2016
The culprit is the static function |expandToParagraphRange()| in TextCheckingParagraph.cpp, which tries to return an inconsistent EphemeralRange with start position beyond end position. DOM tree when this happens: BODY 0x3fb81cfc37b8 (editable) (focused) DIV 0x3fb81cfc4a88 STYLE="text-align: center;" (editable) OBJECT 0x3fb81cfc3858 ID="object" (editable) #shadow-root 0x3fb81cfc3a30 CONTENT 0x3fb81cfc3b90 SELECT 0x3fb81cfc3c80 ID="select1" CLASS="CLASS4" #shadow-root 0x3fb81cfc3e60 CONTENT 0x3fb81cfc3fc0 BUTTON 0x3fb81cfc40b0 ID="button1" (editable) H2 0x3fb81cfc41a8 (editable) SMALL 0x3fb81cfc4248 CLASS="CLASS4" #text 0x3fb81cfc42e8 "AxBxC a" BUTTON 0x3fb81cfc4358 ID="button2" (editable) SELECT 0x3fb81cfc4450 ID="select2" (editable) #shadow-root 0x3fb81cfc4630 CONTENT 0x3fb81cfc4790 When the input range is [(<object>, 0), (#text "AxBxC a", 0)], the function tries to return [(<select id="select2">, 0), (#text "AxBxC a", 7)], hitting DCHECK in EphemeralRange's constructor.
,
Aug 23 2016
,
Aug 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8d1974aecc77d407a9ee89d2434f0079b4cc1e40 commit 8d1974aecc77d407a9ee89d2434f0079b4cc1e40 Author: xiaochengh <xiaochengh@chromium.org> Date: Wed Aug 24 02:15:54 2016 Force expandToParagraphBoundary to return a valid EphemeralRange This is a first-aid patch that make expandToParagraphBoundary() compare the paragraph boundaries found with the input range before returning, so that the returned range is always a super-range of the input range, and hence, a valid EphemeralRange. This patch does not fix the root cause of the bugs, as we: - do not expect startOfParagraph()'s return value to be beyond that of endOfParagraph()'s, and - are planning of getting rid of TextCheckingParagraph, the only client of expandToParagraphBoundary(), ultimately BUG= 639521 , 639801 , 640022 , 640030 , 640112 TEST=n/a; this is a first-aid patch Review-Url: https://codereview.chromium.org/2271603002 Cr-Commit-Position: refs/heads/master@{#413942} [modify] https://crrev.com/8d1974aecc77d407a9ee89d2434f0079b4cc1e40/third_party/WebKit/Source/core/editing/spellcheck/TextCheckingParagraph.cpp
,
Aug 25 2016
ClusterFuzz has detected this issue as fixed in range 413414:413421. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6333805529137152 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000011 Crash State: blink::SpellCheckRequester::didCheckSucceed blink::WebTextCheckingCompletionImpl::didFinishCheckingText SpellCheck::PerformSpellCheck Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=411957:412185 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=413414:413421 Minimized Testcase (1.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Tft9O78awzQv8Gtb5PqCyD30fivy0PBqzVn-gEa-C4NGkDizxSTFmqa732N66IFErLIJ5-l0MgT0TzsdU4pyO4FQUbRhtzQfmfK24jMNIIfTZbRGJD4yLoQqzYAcIFFUYafvhYRMmoGHl1ro3f-k85RF5_w?testcase_id=6333805529137152 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Aug 25 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 27 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by durga.behera@chromium.org
, Aug 22 2016Labels: M-54 Te-Logged
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)