Range::extractContents() can be crashed with DOM mutation event |
||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6327744776634368 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !firstChildInAncestorToProcess || firstChildInAncestorToProcess->parentNode() == blink::Range::processAncestorsAndTheirSiblings blink::Range::processContents Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696 Minimized Testcase (1.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv944JDELDZGXs_UrI7KLQV5cLkaGtV0q5FlgYQRb9qYMbHei_vKTVngMb0dagxi2vLLja4Mm1BiNdCKCnYqn7Q_l-qAWL_foF-SsgVQl1qqMAjGeMZdx6p562Kdy02QtbWPy3IhYJGrPycpIC17uGm7HE0omOw?testcase_id=6327744776634368 Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Aug 31 2016
Range > yosin@. yosin@, could you triage this?
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 28 2016
,
Nov 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e19337b440249f853e44e2df4912236e07b60803 commit e19337b440249f853e44e2df4912236e07b60803 Author: yosin <yosin@chromium.org> Date: Tue Nov 29 02:54:18 2016 Postpone DOM mutation event in Range::extractContents() This patch makes |Range::extractContents()| to postpone DOM mutation event dispatching just before returning value rather than updating C++ variables which holds |Node*| for every DOM mutation calls, e.g. Node::appendChild(), Node::removeChild(), etc., to avoid running JavaScript code during in |extractContents()| for simplicity. For executing script in |RangeTest|, this patch makes |RangeTest| class to derived from |EditingTestBase|. This patch removes "fast/dom/Range/range-created-in-mutation-event-crash.xhtml" since it causes script error by calling |Range#getBoundingClientRect()| with |null| value and coverage of this test is as same as newly added gTest. This patch is similar to http://crrev.com/199383004 which makes |Range::deleteContents()| to postpone DOM mutation event. BUG= 642537 TEST=run_webkit_unittets --gtest_filter=extractContentsWithDOMMutationEvent Review-Url: https://codereview.chromium.org/2532843002 Cr-Commit-Position: refs/heads/master@{#434848} [delete] https://crrev.com/0496be2799d97a95ace380e2e45e454f549d6b2d/third_party/WebKit/LayoutTests/fast/dom/Range/range-created-in-mutation-event-crash-expected.txt [delete] https://crrev.com/0496be2799d97a95ace380e2e45e454f549d6b2d/third_party/WebKit/LayoutTests/fast/dom/Range/range-created-in-mutation-event-crash.xhtml [modify] https://crrev.com/e19337b440249f853e44e2df4912236e07b60803/third_party/WebKit/Source/core/dom/Range.cpp [modify] https://crrev.com/e19337b440249f853e44e2df4912236e07b60803/third_party/WebKit/Source/core/dom/RangeTest.cpp
,
Nov 29 2016
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mummare...@chromium.org
, Aug 30 2016Labels: Te-Logged M-53
Owner: hayato@chromium.org
Status: Assigned (was: Untriaged)