New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 648524 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Nov 2016
Cc:
nek...@chromium.org
timloh@chromium.org
yosin@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

VisibleSelection::validate() should handle SLOT element outside shadow root

Project Member Reported by ClusterFuzz, Sep 20 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6051847817396224

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::Node::isShadowRoot
  blink::Node::parentNode
  blink::Node::parentElement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=419419:419426

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95lCCH9Izk9wNNNb9MfYJV2p34zqNehJskwejc_1QZO7t4CiOpIJye1tlQhWU-FaK3WSbHUFOJ5-8gR1rMoQRBmrP7kQENvx3c8ByMM1LlS2VH_luuDnwsIzvLmOoIFa19qkMJw5cRhrd5Bg9k_efnujGOHUw?testcase_id=6051847817396224


Additional requirements: Requires Gestures

Issue manually filed by: kavvaru

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by kavvaru@chromium.org, Sep 20 2016

Components: Blink
Labels: Findit-for-crash M-55 Te-Logged
Owner: shanmug...@samsung.com
Status: Assigned (was: Untriaged)
Findit could not find any suspected CLs.

Suspected Project: chromium
==============================

Change Log::
https://chromium.googlesource.com/chromium/src/+log/47a0672f5b94140cfbed534b180c7b81a500de0c..98859cdc638718d0399f36230c989d58b96de94a?pretty=fuller

Possible suspect from the above CL
https://codereview.chromium.org/2344403002

shanmuga.m@ could you please look into this issue if it is related to your change,else please re assign to an appropriate dev person.

Thanks,

Comment 2 by shanmug...@samsung.com, Sep 20 2016

Owner: timloh@chromium.org
This crash is not related to my change.

@timloh,
 It may be related to your change.

commit f3c212113fa3578799a243e1940e533ac6eac927  
author timloh <timloh@chromium.org> Mon Sep 19 10:21:26 2016 
committer Commit bot <commit-bot@chromium.org> Mon Sep 19 10:23:03 2016 

CSS Properties and Values API: Support more syntax strings

Comment 3 by dtapu...@chromium.org, Sep 20 2016

Components: -Blink Blink>Editing Blink>DOM

Comment 4 by ligim...@chromium.org, Sep 20 2016

Labels: Needs-triage

Comment 5 by mummare...@chromium.org, Sep 21 2016

Cc: nek...@chromium.org yosin@chromium.org
yosin@/nektar@, could you please take a look and please help us to find correct owner if it is not related your changes.

Comment 6 by yosin@chromium.org, Sep 21 2016

Cc: timloh@chromium.org
Components: -Blink>Editing -Blink>DOM Blink>TextSelection
Owner: ----
Status: Available (was: Assigned)
Summary: VisibleSelection::validate() should handle SLOT element outside shadow root (was: Crash in blink::Node::isShadowRoot)
CF script appends SLOT element to TABLE. It seems we should handle SLOT element outside shadow root case.

Comment 7 by manoranj...@chromium.org, Oct 12 2016 

Gentle Ping! yosin@, do we have any further update on this?

Thank you!

Comment 8 by tkent@chromium.org, Oct 12 2016

Components: -Blink>TextSelection Blink>Editing>Selection
Project Member

Comment 9 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by yosin@chromium.org, Nov 30 2016 

Below test is succeeded.

TEST_F(PositionTest, comparePositions) {
  setBodyContent("<slot id='slot1'></slot><slot id='slot2'></slot>");
  Element* const slot1 = document().getElementById("slot1");
  Element* const slot2 = document().getElementById("slot2");
  PositionInFlatTree position1(slot1, 0);
  PositionInFlatTree position2(slot2, 0);
  EXPECT_TRUE(position1 < position2) << position1 << ' ' << position2;
}

Comment 11 by yosin@chromium.org, Nov 30 2016

Status: Fxied (was: Available)
http://crrev.com/2460813002 fixed this issue too.

Comment 12 by tkent@chromium.org, Nov 30 2016

Status: WontFix (was: Fxied)

Sign in to add a comment