Crash in treeScope |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6506635548950528 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000020 Crash State: treeScope document blink::hasEditableStyle Minimized Testcase (0.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96BqO9CoIgHVvtdksb3-f4N9f5gu7R1nwu863GHmozuFtXfTEvzp-bOXA1-6CyahhjiF0wtir93_Mjb-w7hDe-3S5WekSf9n7_MWm_McJfhs15YIGgqr1fkuyvfwcux46pM2Tii5TqIsvYR1HBDftJ5AWDISg?testcase_id=6506635548950528 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Nov 28 2016
Taking a look.
,
Nov 28 2016
Patch up at https://codereview.chromium.org/2533703002
,
Nov 29 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4e0fd330ee36ef618fba35a0dc9e0b3d5b5dce3f commit 4e0fd330ee36ef618fba35a0dc9e0b3d5b5dce3f Author: dominicc <dominicc@chromium.org> Date: Tue Nov 29 08:29:57 2016 Don't refer to removed spans when reformulating pasted content. ReplaceSelectionCommand::doApply repeatedly rewrites the DOM to fix up the content it is inserting. One of those modifications--removing redundant inline styles--may end up deleting the very span it is tracking the insertion of. This moves the node of interest into the InsertedNodes collection. As the inserted nodes collection is modified, it adjusts the node of interest to a surviving node. BUG= 668808 Review-Url: https://codereview.chromium.org/2533703002 Cr-Commit-Position: refs/heads/master@{#434930} [modify] https://crrev.com/4e0fd330ee36ef618fba35a0dc9e0b3d5b5dce3f/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommand.cpp [modify] https://crrev.com/4e0fd330ee36ef618fba35a0dc9e0b3d5b5dce3f/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommand.h [modify] https://crrev.com/4e0fd330ee36ef618fba35a0dc9e0b3d5b5dce3f/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommandTest.cpp
,
Nov 30 2016
,
Nov 30 2016
ClusterFuzz has detected this issue as fixed in range 434929:434986. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6506635548950528 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000020 Crash State: treeScope document blink::hasEditableStyle Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=434929:434986 Minimized Testcase (0.36 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96BqO9CoIgHVvtdksb3-f4N9f5gu7R1nwu863GHmozuFtXfTEvzp-bOXA1-6CyahhjiF0wtir93_Mjb-w7hDe-3S5WekSf9n7_MWm_McJfhs15YIGgqr1fkuyvfwcux46pM2Tii5TqIsvYR1HBDftJ5AWDISg?testcase_id=6506635548950528 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 15 2017
This might be the fix to issue 692524
,
Feb 15 2017
,
Feb 22 2017
This is too late for M56, we're near the end of the stable cycle and don't have any future releases planned. Let's wait for M57. |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ajha@chromium.org
, Nov 27 2016Labels: M-57