<slot><br> selection crashes browser tab. (aw snap)
Reported by
tsrwebgl@gmail.com,
Sep 23 2016
|
||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2859.0 Safari/537.36 Steps to reproduce the problem: Use this html code: <html> <head></head> <body> <slot> select from here<br /> <br /> to here and chrome will crash.<br /> </slot> </body> </html>. Select (click and drag) the middle area and the tab will crash. What is the expected behavior? What went wrong? There is some error in that element that causes the tab to unexpectedly crash. Crashed report ID: Crash ID 407ca074-b222-4415-83bb-776b334af3a6 (Server ID: 896f859e00000000) How much crashed? Just one tab Is it a problem with a plugin? No Did this work before? Yes Chrome version: 55.0.2859.0 Channel: dev OS Version: 10.0 Flash Version: Shockwave Flash 23.0 r0
,
Sep 23 2016
JSfiddle created: https://jsfiddle.net/9ocdpe89/ The crash also repros in Stable 53.0.2785.116 The crash is due to dereferencing a null pointer in |comparePositions(containerA, offsetA, containerB, offsetB)|: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/EditingUtilities.cpp?rcl=0&l=160 // case 3: node C (container A or an ancestor) is a child node of B c = containerA; while (c && Traversal::parent(*c) != containerB) c = Traversal::parent(*c); if (c) { int offsetC = 0; Node* n = Traversal::firstChild(*containerB); while (n != c && offsetC < offsetB) { offsetC++; // Crash site, |n| becomes nullptr here n = Traversal::nextSibling(*n); } if (offsetC < offsetB) return -1; // A is before B return 1; // A is after B }
,
Sep 23 2016
DOM tree when crashing: BODY #text "\n " SLOT #text "\nselect from here" BR #text "\n" BR #text "\nto here and chrome will crash." BR #text "\n" #text "\n \n\n\n\n\n" Values of relevant variables in #3: ContainerA = #text "\nselect from here", offsetA doesn't matter ContainerB = BODY, offsetB = 3 c = #text "\nselect from here" Since the <slot> is not in any shadow tree and does not have any assigned node, the flat tree should be identical to the DOM tree according to the spec (https://w3c.github.io/webcomponents/spec/shadow/#flattening-algorithm). However: - |Traversal::parent(*c)| directly gives BODY instead of SLOT - When iterating child nodes of BODY via |Traversal::firstChild| and |Traversal::nextSibling|, SLOT is skipped According to the spec's Flattening Algorithm, slot elements are still in the flat tree. The current implementation of the flat tree traversal algorithm skips slot nodes, which I think is inconsistent with the spec. hayato@: could you take a look and let me know if my understanding is correct? Thanks!
,
Sep 30 2016
yosin@, it looks the selection still crashes.
,
Sep 30 2016
Here is stack trace: (not as same as #c4) blink_core.dll!blink::comparePositions<blink::FlatTreeTraversal>(blink::Node * containerA, int offsetA, blink::Node * containerB, int offsetB, bool * disconnected) Line 212 blink_core.dll!blink::comparePositionsInFlatTree(blink::Node * containerA, int offsetA, blink::Node * containerB, int offsetB, bool * disconnected) Line 223 blink_core.dll!blink::comparePositions(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & positionA, const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & positionB) Line 317 blink_core.dll!blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::compareTo(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & other) Line 323 blink_core.dll!blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::setBaseAndExtentToDeepEquivalents() Line 314 blink_core.dll!blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::validate(blink::TextGranularity granularity) Line 512 blink_core.dll!blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::setExtent(const blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & visiblePosition) Line 190 blink_core.dll!blink::SelectionController::updateSelectionForMouseDrag(const blink::HitTestResult & hitTestResult, blink::Node * mousePressNode, const blink::LayoutPoint & dragStartPos, const blink::IntPoint & lastKnownMousePosition) Line 262 blink_core.dll!blink::SelectionController::handleMouseDraggedEvent(const blink::EventWithHitTestResults<blink::PlatformMouseEvent> & event, const blink::IntPoint & mouseDownPos, const blink::LayoutPoint & dragStartPos, blink::Node * mousePressNode, const blink::IntPoint & lastKnownMousePosition) Line 492 blink_core.dll!blink::EventHandler::handleMouseDraggedEvent(const blink::EventWithHitTestResults<blink::PlatformMouseEvent> & event) Line 392 blink_core.dll!blink::EventHandler::handleMouseMoveOrLeaveEvent(const blink::PlatformMouseEvent & mouseEvent, blink::HitTestResult * hoveredNode, bool onlyUpdateScrollbars, bool forceLeave) Line 1045 blink_core.dll!blink::EventHandler::handleMouseMoveEvent(const blink::PlatformMouseEvent & event) Line 912 blink_web.dll!blink::PageWidgetEventHandler::handleMouseMove(blink::LocalFrame & mainFrame, const blink::WebMouseEvent & event) Line 206 blink_web.dll!blink::PageWidgetDelegate::handleInputEvent(blink::PageWidgetEventHandler & handler, const blink::WebInputEvent & event, blink::LocalFrame * root) Line 138 blink_web.dll!blink::WebViewImpl::handleInputEvent(const blink::WebInputEvent & inputEvent) Line 2214 blink_web.dll!blink::WebViewFrameWidget::handleInputEvent(const blink::WebInputEvent & event) Line 99 content.dll!content::RenderWidgetInputHandler::HandleInputEvent(const blink::WebInputEvent & input_event, const ui::LatencyInfo & latency_info, content::InputEventDispatchType dispatch_type) Line 325
,
Sep 30 2016
Re: https://bugs.chromium.org/p/chromium/issues/detail?id=649576#c4 As we talked offline, Blink excludes any slots from the flat tree, due to the current limitation. That is a known issue. FlatTreeTraversal actually *skips* slots. Clients of FlatTreeTraversal should assume that there is such a limitation.. :(
,
Sep 30 2016
It seems problem is
FlatTreeTraversal::parent("\nselect from here") => BODY
But, FlatTreeTraversal::firstChild(BODY) doesn't return "\nselect from here".
,
Sep 30 2016
I see. That sounds a bug in the FlatTreeTraversal. Thank you for the investigation.
,
Oct 12 2016
,
Oct 13 2016
,
Oct 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/dce2e40e8f3b783ef18e06b72c955bf59ed122d9 commit dce2e40e8f3b783ef18e06b72c955bf59ed122d9 Author: hayato <hayato@chromium.org> Date: Fri Oct 14 04:21:58 2016 Fix FlatTreeTraversal for a slot in a document tree Fix FlatTreeTraversal so that it considers a slot in a document tree correctly. Slots in a document tree are not well supported. They need a special treatment. This CL fixes the crash reported in the bug. BUG= 649576 Review-Url: https://codereview.chromium.org/2416833002 Cr-Commit-Position: refs/heads/master@{#425252} [modify] https://crrev.com/dce2e40e8f3b783ef18e06b72c955bf59ed122d9/third_party/WebKit/Source/core/dom/shadow/FlatTreeTraversal.cpp [modify] https://crrev.com/dce2e40e8f3b783ef18e06b72c955bf59ed122d9/third_party/WebKit/Source/core/dom/shadow/FlatTreeTraversalTest.cpp [modify] https://crrev.com/dce2e40e8f3b783ef18e06b72c955bf59ed122d9/third_party/WebKit/Source/core/html/HTMLSlotElement.cpp [modify] https://crrev.com/dce2e40e8f3b783ef18e06b72c955bf59ed122d9/third_party/WebKit/Source/core/html/HTMLSlotElement.h
,
Oct 14 2016
,
Oct 14 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3733b9b59c42ea60a6faf1bcfcf0ef30124e90cc commit 3733b9b59c42ea60a6faf1bcfcf0ef30124e90cc Author: johnme <johnme@chromium.org> Date: Fri Oct 14 11:22:47 2016 Revert of Fix FlatTreeTraversal for a slot in a document tree (patchset #3 id:40001 of https://codereview.chromium.org/2416833002/ ) Reason for revert: The following content_browsertests have started consistently failing on KitKat Tablet Tester, Lollipop Tablet Tester and Marshmallow Tablet Tester: FindRequestManagerTests/FindRequestManagerTest.RemoveFrame/0 FindRequestManagerTest.AddFrameAfterNoMatches FindRequestManagerTests/FindRequestManagerTest.AddFrame/0 FindRequestManagerTest.HiddenFrame FindRequestManagerTests/FindRequestManagerTest.CharacterByCharacter/0 FindRequestManagerTests/FindRequestManagerTest.Basic/0 FindRequestManagerTest.FindInPage_Issue627799 FindRequestManagerTest.ActivateNearestFindMatch FindRequestManagerTest.FindMatchRects FindRequestManagerTests/FindRequestManagerTest.NavigateFrame/0 FindRequestManagerTest.FindInPage_Issue644448 FindRequestManagerTests/FindRequestManagerTest.FindNewMatches/0 FindRequestManagerTests/FindRequestManagerTest.RapidFire/0 e.g. https://build.chromium.org/p/chromium.android/builders/Marshmallow%20Tablet%20Tester/builds/5889 And the stack_tool_with_logcat_dump/stack_tool_for_tombstones steps both prominently feature findPlainTextInternal<blink::EditingAlgorithm<blink::FlatTreeTraversal>> (oddly on KitKat Tablet Tester these tests started failing on the build after this patch landed; presumably the failure is at least partly flaky) Original issue's description: > Fix FlatTreeTraversal for a slot in a document tree > > Fix FlatTreeTraversal so that it considers a slot in a document tree correctly. > > Slots in a document tree are not well supported. They need a special treatment. > This CL fixes the crash reported in the bug. > > BUG= 649576 > > Committed: https://crrev.com/dce2e40e8f3b783ef18e06b72c955bf59ed122d9 > Cr-Commit-Position: refs/heads/master@{#425252} TBR=tkent@chromium.org,yosin@chromium.org,hayato@chromium.org # Skipping CQ checks because original CL landed less than 1 days ago. NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG= 649576 Review-Url: https://codereview.chromium.org/2420883002 Cr-Commit-Position: refs/heads/master@{#425293} [modify] https://crrev.com/3733b9b59c42ea60a6faf1bcfcf0ef30124e90cc/third_party/WebKit/Source/core/dom/shadow/FlatTreeTraversal.cpp [modify] https://crrev.com/3733b9b59c42ea60a6faf1bcfcf0ef30124e90cc/third_party/WebKit/Source/core/dom/shadow/FlatTreeTraversalTest.cpp [modify] https://crrev.com/3733b9b59c42ea60a6faf1bcfcf0ef30124e90cc/third_party/WebKit/Source/core/html/HTMLSlotElement.cpp [modify] https://crrev.com/3733b9b59c42ea60a6faf1bcfcf0ef30124e90cc/third_party/WebKit/Source/core/html/HTMLSlotElement.h
,
Oct 14 2016
,
Oct 17 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/cc87e9a3cc8289a23ec23e116196f19c15a9fb49 commit cc87e9a3cc8289a23ec23e116196f19c15a9fb49 Author: hayato <hayato@chromium.org> Date: Mon Oct 17 05:47:51 2016 Reland of Fix FlatTreeTraversal for a slot in a document tree (patchset #1 id:1 of https://codereview.chromium.org/2420883002/ ) Reason for revert: It looks that the original CL is not culprit because the tests still fail after reverting the CL https://build.chromium.org/p/chromium.android/builders/Marshmallow%20Tablet%20Tester/builds/5892 Let me reland this CL. Original issue's description: > Revert of Fix FlatTreeTraversal for a slot in a document tree (patchset #3 id:40001 of https://codereview.chromium.org/2416833002/ ) > > Reason for revert: > The following content_browsertests have started consistently failing on KitKat Tablet Tester, Lollipop Tablet Tester and Marshmallow Tablet Tester: > > FindRequestManagerTests/FindRequestManagerTest.RemoveFrame/0 > FindRequestManagerTest.AddFrameAfterNoMatches > FindRequestManagerTests/FindRequestManagerTest.AddFrame/0 > FindRequestManagerTest.HiddenFrame > FindRequestManagerTests/FindRequestManagerTest.CharacterByCharacter/0 > FindRequestManagerTests/FindRequestManagerTest.Basic/0 > FindRequestManagerTest.FindInPage_Issue627799 > FindRequestManagerTest.ActivateNearestFindMatch > FindRequestManagerTest.FindMatchRects > FindRequestManagerTests/FindRequestManagerTest.NavigateFrame/0 > FindRequestManagerTest.FindInPage_Issue644448 > FindRequestManagerTests/FindRequestManagerTest.FindNewMatches/0 > FindRequestManagerTests/FindRequestManagerTest.RapidFire/0 > > e.g. https://build.chromium.org/p/chromium.android/builders/Marshmallow%20Tablet%20Tester/builds/5889 > > And the stack_tool_with_logcat_dump/stack_tool_for_tombstones steps both prominently feature findPlainTextInternal<blink::EditingAlgorithm<blink::FlatTreeTraversal>> > > (oddly on KitKat Tablet Tester these tests started failing on the build after this patch landed; presumably the failure is at least partly flaky) > > Original issue's description: > > Fix FlatTreeTraversal for a slot in a document tree > > > > Fix FlatTreeTraversal so that it considers a slot in a document tree correctly. > > > > Slots in a document tree are not well supported. They need a special treatment. > > This CL fixes the crash reported in the bug. > > > > BUG= 649576 > > > > Committed: https://crrev.com/dce2e40e8f3b783ef18e06b72c955bf59ed122d9 > > Cr-Commit-Position: refs/heads/master@{#425252} > > TBR=tkent@chromium.org,yosin@chromium.org,hayato@chromium.org > # Skipping CQ checks because original CL landed less than 1 days ago. > NOPRESUBMIT=true > NOTREECHECKS=true > NOTRY=true > BUG= 649576 > > Committed: https://crrev.com/3733b9b59c42ea60a6faf1bcfcf0ef30124e90cc > Cr-Commit-Position: refs/heads/master@{#425293} TBR=tkent@chromium.org,yosin@chromium.org,johnme@chromium.org # Not skipping CQ checks because original CL landed more than 1 days ago. BUG= 649576 Review-Url: https://codereview.chromium.org/2427443003 Cr-Commit-Position: refs/heads/master@{#425621} [modify] https://crrev.com/cc87e9a3cc8289a23ec23e116196f19c15a9fb49/third_party/WebKit/Source/core/dom/shadow/FlatTreeTraversal.cpp [modify] https://crrev.com/cc87e9a3cc8289a23ec23e116196f19c15a9fb49/third_party/WebKit/Source/core/dom/shadow/FlatTreeTraversalTest.cpp [modify] https://crrev.com/cc87e9a3cc8289a23ec23e116196f19c15a9fb49/third_party/WebKit/Source/core/html/HTMLSlotElement.cpp [modify] https://crrev.com/cc87e9a3cc8289a23ec23e116196f19c15a9fb49/third_party/WebKit/Source/core/html/HTMLSlotElement.h
,
Oct 19 2016
Seems to be Fixed in the latest Canary.
,
Oct 21 2016
|
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by tkent@chromium.org
, Sep 23 2016