New issue
Advanced search Search tips

Issue 640030 link

Starred by 1 user
Status: Fixed
Owner:
xiaoche...@chromium.org
Closed: Sep 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug

Blocked on:
issue 640112


Sign in to add a comment

Crash in blink::NodeTraversal::traverseNextTemplate<blink::Node const >

Project Member Reported by ClusterFuzz, Aug 22 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5033400295751680

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::NodeTraversal::traverseNextTemplate<blink::Node const >
  blink::DocumentMarkerController::markersInRange
  blink::SpellCheckRequest::create
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=411522:411529

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97sRll9-Lp1iKto3SK6hH5iAi6eLCnicPbKLYEPhP3_KisAzGX3C0yF7qiKzAi7idsWn-MwOiAP1IayHm_K-jkJb0HoAh6swBY4fBx_KeUxt4ucwrW9GkxwptyKPfY4Bk6bJzVb_NUlm9W6MrygowEtdrX1TQ?testcase_id=5033400295751680


Issue manually filed by: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmohammad@chromium.org, Aug 22 2016

Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
yosin @ could you please look into this. please feel free to re -assigned if needed. Thank you

Comment 2 by yosin@chromium.org, Aug 23 2016

Components: UI>Browser>Spellcheck
Owner: xiaoche...@chromium.org
Caused by SpellChecker?

Comment 3 by xiaoche...@chromium.org, Aug 23 2016

Blockedon: 640112
Another crashing caused by |expandToParagraphBoundary()|...
Project Member

Comment 4 by bugdroid1@chromium.org, Aug 24 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8d1974aecc77d407a9ee89d2434f0079b4cc1e40

commit 8d1974aecc77d407a9ee89d2434f0079b4cc1e40
Author: xiaochengh <xiaochengh@chromium.org>
Date: Wed Aug 24 02:15:54 2016

Force expandToParagraphBoundary to return a valid EphemeralRange

This is a first-aid patch that make expandToParagraphBoundary()
compare the paragraph boundaries found with the input range before
returning, so that the returned range is always a super-range of
the input range, and hence, a valid EphemeralRange.

This patch does not fix the root cause of the bugs, as we:
- do not expect startOfParagraph()'s return value to be beyond that of
endOfParagraph()'s, and
- are planning of getting rid of TextCheckingParagraph, the only client
of expandToParagraphBoundary(), ultimately

BUG= 639521 ,  639801 ,  640022 ,  640030 ,  640112 
TEST=n/a; this is a first-aid patch

Review-Url: https://codereview.chromium.org/2271603002
Cr-Commit-Position: refs/heads/master@{#413942}

[modify] https://crrev.com/8d1974aecc77d407a9ee89d2434f0079b4cc1e40/third_party/WebKit/Source/core/editing/spellcheck/TextCheckingParagraph.cpp

Comment 5 by xiaoche...@chromium.org, Sep 2 2016

Status: Fixed (was: Assigned)
Prior to r413942, the test case hits a DCHECK in EphemeralRange's constructor; With the revision it does not crash anymore. Hence marking the issue as fixed.

Not sure how to update ClusterFuzz's report, though...
Project Member

Comment 6 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 7 by lafo...@chromium.org, Apr 27 2017

Components: -UI>Browser>Spellcheck UI>Browser>Language>Spellcheck

Sign in to add a comment