InsertParagraph command is crashed with TABLE with content |
||||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6376236676022272 Fuzzer: inferno_twister Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000003 Crash State: blink::editingIgnoresContent blink::InsertParagraphSeparatorCommand::doApply blink::CompositeEditCommand::applyCommandToComposite Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=428625:428627 Minimized Testcase (3.01 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94cdOwK4jS2OHtCdakJRgLU0dnrlkMIHo18j0ViDoPqU2CK_5MJmnpY3G6S988pKh8bWQ4LVBZSJF-iW7sq76bvZHab0VPZUNUpBMXsropuMgg8KdOqrh8ehY_GZ9jOSoGIHyNCDZTIoXLVa9IufTvEN6CUng?testcase_id=6376236676022272 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Oct 31 2016
Low to Pri-2 since real world usage of insertParagraph is low.
insertionPosition = positionOutsideTabSpan(
createVisiblePosition(insertionPosition).deepEquivalent());
before calling editingIgnoresContent() makes insertionPosition to null.
Before this statement: TABLE, 0
DOM tree at crash:
m_endingSelection.showTreeForThis()
[10144:23436:1031/163454:801846015:INFO:visibleselection.cpp(768)]
BODY id="tCF1" (editable)
#text "MCy\u007F9#c70r9;"
DIV
BR
STYLE
#text "*:root {\n -webkit-user-select: none\n"
#text "\n\n"
LINK
#text "\n"
PRE
VAR
INPUT
#shadow-root
DIV id="inner-editor" (editable)
#text "\n"
BUTTON
#text "\n"
OPTION id="tCF5" class="CLASS5 CLASS1"
#shadow-root
#text "x9YU1[!04E) ix0g.e4^O*# +Lm S :(0p_a %9"
#text "x9YU1[!04E)\t ix0g.e4^O*# +Lm \tS :(0p_a\t%9\n"
DLNL" id="tCF6"
#text "\n"
DT
#text "\n"
DD
#text "\n"
DT
#text "\n"
DT
TEXTAREA
#shadow-root
DIV id="inner-editor"
#text "\n"
TEXTAREA
#shadow-root
DIV id="inner-editor"
#text "\n"
FORMNL" id="tCF13"
DIV
STRONG
#text "\n"
IMG
#text "\n"
STRONG
#text ">"
STRONG
BUTTON
svg
#text "\n"
CODE
svg
#text "\n"
use
#shadow-root
#text "\n"
set
#text "\n"
title<
H6
CODE
BUTTON
#text "\n"
INPUT
#shadow-root
DIV id="inner-editor" (editable)
#text "\n"
FIELDSET
RUBY
#text "\n"
RBC
RT
RTC
#text "\n"
RT< id="tCF31"
#text "\n"
BIG id="tCF32"
FORM
#text "\n"
SELECT<
#text "\n"
BDO
#text "\n"
DEL
#text "\n"
TABLE (editable) (focused)
SUP (editable)
#text "!![[[[[{i=0<<3333%$$*|||||||||\"%"
SAMP (editable)
svg (editable)
style (editable)
#text "@@;;D<<<"
#comment (editable)
#text "2dddddt~M:$$$@______a''''rrrrrrr"
feComponentTransfer (editable)
#text "$!4444444444444>t'''kkkkIk>\\\"SSS"
#text "Z+6666666666&&&&&&&^uuq_:&&&&9w'"
#text "QQQQ::::::::::zzj\"$Yr@VVVVH_,,,,"
H1 (editable)
#text "aaaay*mn11;{^wwwwwwwwwwZZZZ===GG"
SAMP (editable)
svg (editable)
style (editable)
#text "@@;;D<<<"
#comment (editable)
#text "2dddddt~M:$$$@______a''''rrrrrrr"
feComponentTransfer (editable)
#text "$!4444444444444>t'''kkkkIk>\\\"SSS"
#text "Z+6666666666&&&&&&&^uuq_:&&&&9w'"
#text "QQQQ::::::::::zzj\"$Yr@VVVVH_,,,,"
IMG (editable)
SAMP (editable)
svg (editable)
style (editable)
#text "@@;;D<<<"
#comment (editable)
#text "2dddddt~M:$$$@______a''''rrrrrrr"
feComponentTransfer (editable)
#text "$!4444444444444>t'''kkkkIk>\\\"SSS"
#text "Z+6666666666&&&&&&&^uuq_:&&&&9w'"
#text "QQQQ::::::::::zzj\"$Yr@VVVVH_,,,,"
#text "\\5=t``$$$$$$$$$$$vvv`~Whh@cccccc"
BDO (editable)
COLGROUP (editable)
COL (editable)
SE #text "]mmmmmmmmmmL?@2[JVV\"/ee'''''''y(yyyyyyyyy2D||||||||||||g@@\\Cl?07"
start: offsetInAnchor[@]
end: offsetInAnchor[@]
<void>
,
Nov 22 2016
Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 28 2016
,
Dec 6 2016
,
Feb 20 2017
,
Mar 15 2017
Issue 699945 has been merged into this issue.
,
Mar 16 2017
,
Apr 7 2017
,
Apr 20 2017
ClusterFuzz has detected this issue as fixed in range 465765:465806. Detailed report: https://clusterfuzz.com/testcase?key=6376236676022272 Fuzzer: inferno_twister Job Type: windows_syzyasan_chrome Platform Id: windows Crash Type: UNKNOWN Crash Address: 0x00000003 Crash State: blink::editingIgnoresContent blink::InsertParagraphSeparatorCommand::doApply blink::CompositeEditCommand::applyCommandToComposite Memory Tool: SYZYASAN Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=428625:428627 Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=465765:465806 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94cdOwK4jS2OHtCdakJRgLU0dnrlkMIHo18j0ViDoPqU2CK_5MJmnpY3G6S988pKh8bWQ4LVBZSJF-iW7sq76bvZHab0VPZUNUpBMXsropuMgg8KdOqrh8ehY_GZ9jOSoGIHyNCDZTIoXLVa9IufTvEN6CUng?testcase_id=6376236676022272 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 20 2017
ClusterFuzz testcase 6376236676022272 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 14 2017
ClusterFuzz testcase 4630306733948928 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by nyerramilli@chromium.org
, Oct 31 2016Labels: -Type-Bug findit-wrong M-56 Type-Bug-Regression
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)