New issue
Advanced search Search tips

Issue 657462 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
yosin@chromium.org
yutak@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug

Blocked on:
issue 705343
issue 697315


Sign in to add a comment

document().body() != refChild in CompositeEditCommand.cpp

Project Member Reported by ClusterFuzz, Oct 19 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5563205416124416

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  document().body() != refChild in CompositeEditCommand.cpp
  blink::CompositeEditCommand::insertNodeBefore
  blink::CompositeEditCommand::insertNodeAfter
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=369991:370003

Minimized Testcase (0.38 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95nrW3imvWz3pEQMPM16L72pA6anAF7OTHbeoHpXmiI-GMHH4N_FqTtFXo10tB8s_l07EWPE07Qqp1q4XkjBhurNQFYZfpmJEf9VJHrFheYePQFrptjdELNRLA1nRHft9AUkOOd-DsTwtDIL8WOJVz8atrNbA?testcase_id=5563205416124416
<style>
    p.red { background-color: red;</style>
        testRunner.dumpAsTextWithPixelResults();
  <br/>
  <style>
   * { display: -webkit-inline-box; }
.CLASS11 { float: right;</style>
  <script>
window.onload = function () {
    document.designMode = 'on';
    document.execCommand('SelectAll')
    document.execCommand('Indent');
};
  </script>
  <div class="CLASS11">
  </div>
   bbb


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mmohammad@chromium.org, Oct 19 2016

Cc: yutak@chromium.org yosin@chromium.org
Owner: ojan@chromium.org
Status: Assigned (was: Untriaged)
ojan@ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !

Comment 2 by dtapu...@chromium.org, Nov 18 2016

Components: Blink>Editing
Project Member

Comment 3 by sheriffbot@chromium.org, Nov 22 2016

Labels: -Restrict-View-EditIssue
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by yosin@chromium.org, Nov 30 2016

Owner: ----
Status: Available (was: Assigned)

Comment 5 by tkent@chromium.org, Mar 15 2017

Owner: tkent@chromium.org
Status: Assigned (was: Available)
Looking

Comment 6 by tkent@chromium.org, Mar 16 2017

Status: Started (was: Assigned)

Comment 7 by tkent@chromium.org, Mar 16 2017

Blockedon: 697315

Comment 8 by tkent@chromium.org, Mar 27 2017

Blockedon: 705343

Comment 9 by tkent@chromium.org, Mar 27 2017

Labels: -Pri-1 Pri-2
Owner: ----
Status: Available (was: Started)
Mark this Pri-2 because the reproduction has unusual style, "* { display: -webkit-inline-box; }" and we don't think this issue is practical.

Comment 10 by yosin@chromium.org, May 22 2017

Labels: Pri-3
Bulk set to Pri-3 for cluster fuzz bugs.
Since these issues are happens with unusual HTML.
Project Member

Comment 11 by ClusterFuzz, Jun 21 2017

Status: WontFix (was: Available)
ClusterFuzz testcase 5563205416124416 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment