Issue metadata
Sign in to add a comment
|
!range.document().needsLayoutTreeUpdate() in EditingUtilities.cpp |
||||||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6214828790382592 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !range.document().needsLayoutTreeUpdate() in EditingUtilities.cpp blink::normalizeRangeAlgorithm<> blink::normalizeRange Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=417243:417253 Minimized Testcase (0.47 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97OGRpXxd-z7AP4Mp0WGDbmzoE60CC5sbrWftHk28eBr1-bEgOesmbOf8V_NvWS6C3Qx0H39QHZnUrzjaKkJiaLb5XV474x8AkUiLQLWnOV9b_T3VymXtbkOKxO1-rt4OIGNJ77vBqV7IJ46zuVNPMTOMz45Q?testcase_id=6214828790382592 <b id="test"> Sed dictum erat sit amet pharetra pretium. <script> var __v_0 = document.getElementById('test').firstChild; var __v_1 = document.createRange(); __v_1.setEnd(__v_0, __v_0.length - 5); window.getSelection().addRange(__v_1); </script> <video autoplay=""<source src="../../../media/white.webm" type="video/webm"> <track> <script> document.getElementsByTagName('track')[0].track.mode = 'showing'; </script> Issue manually filed by: mummareddy See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Sep 13 2016
Is it another case that <video> mutates DOM tree during |updateStyleAndLayout()|? If so, guess we should triage to style team?
,
Sep 13 2016
It is LayoutTextTrack::layout() that makes the layout tree still dirty after |updateStyleAndLayout()| finishes. Triaging to media team, and hope we could get rid of the |DeprecatedScheduleStyleRecalcDuringLayout| there.
,
Sep 13 2016
,
Sep 24 2016
ClusterFuzz has detected this issue as fixed in range 420571:420810. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6214828790382592 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !range.document().needsLayoutTreeUpdate() in EditingUtilities.cpp blink::normalizeRangeAlgorithm<> blink::normalizeRange Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=417243:417253 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=420571:420810 Minimized Testcase (0.47 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97OGRpXxd-z7AP4Mp0WGDbmzoE60CC5sbrWftHk28eBr1-bEgOesmbOf8V_NvWS6C3Qx0H39QHZnUrzjaKkJiaLb5XV474x8AkUiLQLWnOV9b_T3VymXtbkOKxO1-rt4OIGNJ77vBqV7IJ46zuVNPMTOMz45Q?testcase_id=6214828790382592 <b id="test"> Sed dictum erat sit amet pharetra pretium. <script> var __v_0 = document.getElementById('test').firstChild; var __v_1 = document.createRange(); __v_1.setEnd(__v_0, __v_0.length - 5); window.getSelection().addRange(__v_1); </script> <video autoplay=""<source src="../../../media/white.webm" type="video/webm"> <track> <script> document.getElementsByTagName('track')[0].track.mode = 'showing'; </script> See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 18 2016
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by mummare...@chromium.org
, Sep 13 2016Labels: M-55 Te-Logged
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)