Issue metadata
Sign in to add a comment
|
!m_start.document()->needsLayoutTreeUpdate() in VisibleSelection.cpp |
||||||||||||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6538881011023872 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !m_start.document()->needsLayoutTreeUpdate() in VisibleSelection.cpp blink::VisibleSelectionTemplate<>::toNormalizedEphemeralRange blink::WebViewImpl::selectionBounds Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=425278:425286 Minimized Testcase (0.47 Kb): Download: https://cluster-fuzz.appspot.com/download/AMIfv97oP1E_dhVlwJFDyoYYwb2kRsrihQ6qb1P3qT8_uiYDD-A8E_1oGuGj4Si1Ul7ny8_cjP4MYQ10hbA8fNVq4O7AwXGDl8R1j-5cDSstjbQrZYQOYwZxFJTOd45HKrruTcyUbY2qWaBN3FOF6fnX0npN23GpEg?testcase_id=6538881011023872 <b id="test"> Sed dictum erat sit amet pharetra pretium. <script> var __v_0 = document.getElementById('test').firstChild; var __v_1 = document.createRange(); __v_1.setEnd(__v_0, __v_0.length - 5); window.getSelection().addRange(__v_1); </script> <video autoplay=""<source src="../../../media/white.webm" type="video/webm"> <track> <script> document.getElementsByTagName('track')[0].track.mode = 'showing'; </script> Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 4 2016
It's the same bug as issue 646204 that <track> modifies DOM tree in layout update, with issue 372245 being the root cause.
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 1 2017
ClusterFuzz has detected this issue as fixed in range 450347:450395. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6538881011023872 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !m_start.document()->needsLayoutTreeUpdate() in VisibleSelection.cpp blink::VisibleSelectionTemplate<>::toNormalizedEphemeralRange blink::WebViewImpl::selectionBounds Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=425278:425286 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=450347:450395 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97oP1E_dhVlwJFDyoYYwb2kRsrihQ6qb1P3qT8_uiYDD-A8E_1oGuGj4Si1Ul7ny8_cjP4MYQ10hbA8fNVq4O7AwXGDl8R1j-5cDSstjbQrZYQOYwZxFJTOd45HKrruTcyUbY2qWaBN3FOF6fnX0npN23GpEg?testcase_id=6538881011023872 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 1 2017
ClusterFuzz has detected this issue as fixed in range 450347:450395. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6538881011023872 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !m_start.document()->needsLayoutTreeUpdate() in VisibleSelection.cpp blink::VisibleSelectionTemplate<>::toNormalizedEphemeralRange blink::WebViewImpl::selectionBounds Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=425278:425286 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=450347:450395 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97oP1E_dhVlwJFDyoYYwb2kRsrihQ6qb1P3qT8_uiYDD-A8E_1oGuGj4Si1Ul7ny8_cjP4MYQ10hbA8fNVq4O7AwXGDl8R1j-5cDSstjbQrZYQOYwZxFJTOd45HKrruTcyUbY2qWaBN3FOF6fnX0npN23GpEg?testcase_id=6538881011023872 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 1 2017
ClusterFuzz has detected this issue as fixed in range 450347:450395. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6538881011023872 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !m_start.document()->needsLayoutTreeUpdate() in VisibleSelection.cpp blink::VisibleSelectionTemplate<>::toNormalizedEphemeralRange blink::WebViewImpl::selectionBounds Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=425278:425286 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=450347:450395 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97oP1E_dhVlwJFDyoYYwb2kRsrihQ6qb1P3qT8_uiYDD-A8E_1oGuGj4Si1Ul7ny8_cjP4MYQ10hbA8fNVq4O7AwXGDl8R1j-5cDSstjbQrZYQOYwZxFJTOd45HKrruTcyUbY2qWaBN3FOF6fnX0npN23GpEg?testcase_id=6538881011023872 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page. |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by msrchandra@chromium.org
, Nov 2 2016Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)