New issue
Advanced search Search tips

Issue 669127 link

Starred by 1 user
Status: Fixed
Owner:
yosin@chromium.org
Closed: Nov 2016
Cc:
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Redo command should not use obsolete selection

Project Member Reported by ClusterFuzz, Nov 28 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6482947999006720

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000011
Crash State:
  blink::Node::updateDistribution
  blink::comparePositions
  blink::normalizeRange
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=362082:362102

Minimized Testcase (5.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97j2htckhxeFdg7f_9r9nnADT5uT8fA8L59njIfV6QqyJVzQd6u0HoBVvBxsX_yiewglDVLNi89Gu7w8rySNP7zwdFDZWRjY9tP2Tm-qArwcl1afNn97vt-HiT_pJQ0YPiAOwrOACmO4bxoMg0nK1nRr3V_ZA?testcase_id=6482947999006720

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by tkent@chromium.org, Nov 28 2016

Components: Blink>Editing

Comment 2 by yosin@chromium.org, Nov 29 2016

Owner: yosin@chromium.org
Status: Started (was: Untriaged)
Failed in comparePositions() for PositionInFlatTree

positionA: beforeAnchor SELECT
positionB: afterAnchor SELECT


BODY (editable) (focused)
	OL class="CLASS11 CLASS4" (editable)
		#text "\n"
		LI class="CLASS12 CLASS1" (editable)
			#text "\n"
			DIV (editable)
				#text "\n"
				BUTTON (editable)
					#text "\n"
					BDO class="CLASS3" (editable)
						#text "\n"
				BUTTON (editable)
					#text "\n"
					DIV class="CLASS2" (editable)
						#text "\n"
						FORM (editable)
							#text "\n"
		TT class="CLASS5 CLASS6" (editable)
			#text "\n"
			DIV style="text-align: right;" (editable)
				#text "\n"
				OPTION class="CLASS1 CLASS4" (editable)
					#shadow-root
						#text ";______________/|{9),_rraaaaaaa&'CC&qqqqCm^KKKKKKKKKKKKK5P4SSS?3%%%T]^^^^^^^^^}L##33|||||||$2TVXYYYY%K\"\"\"\"\"\"\"\"\"q//_)))))))))))>L,7_A\\\\\\\\\\\\\\\\(s?????????????lm+T7;______________/|{9),_rraaaaaaa&'CC&qqqqCm^KKKKKKKKKKKKK5P4SSS?3%%%T]^^^^^^^^^}L##33|||||||$2TVXYYYY%K\"\"\"\"\"\"\"\"\"q//_)))))))))))>L,7_A\\\\\\\\\\\\\\\\(s?????????????lm+T7"
					OBJECT (editable)
						#shadow-root
							CONTENT
						#text ";______________/|{9),_rraaaaaaa&'CC&qqqqCm^KKKKKKKKKKKKK5P4SSS?3"
					H2 (editable)
						STRIKE (editable)
							#text "%%%T]^^^^^^^^^}L##33|||||||$2TVX"
						#text "YYYY%K\"\"\"\"\"\"\"\"\"q//_)))))))))))>L"
						SELECT (editable)
							#shadow-root
								CONTENT
							#text ",7_A\\\\\\\\\\\\\\\\(s?????????????lm+T7"
*					SELECT (editable)
*						#shadow-root
*							CONTENT
						#text ";______________/|{9),_rraaaaaaa&'CC&qqqqCm^KKKKKKKKKKKKK5P4SSS?3%%%T]^^^^^^^^^}L##33|||||||$2TVXYYYY%K\"\"\"\"\"\"\"\"\"q//_)))))))))))>L,7_A\\\\\\\\\\\\\\\\(s?????????????lm+T7"
						feBlend (editable)
beforeAnchor

Comment 3 by yosin@chromium.org, Nov 29 2016

Summary: Redo command should not use obsolete selection (was: Crash in blink::Node::updateDistribution)
The root cause is Editor::reappliedEditing() to pass obsolete VisibleSelection which hold in undo stack to FrameSelection::setSelection().

Comment 4 by yosin@chromium.org, Nov 29 2016 

In review: http://crrev.com/2532393002
Project Member

Comment 5 by bugdroid1@chromium.org, Nov 30 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c5d325233d9e3e7b35aa65ee4a6b78261fb9c94c

commit c5d325233d9e3e7b35aa65ee4a6b78261fb9c94c
Author: yosin <yosin@chromium.org>
Date: Wed Nov 30 09:07:08 2016

Make redo command to correct selection in undo stack

This patch makes |Editor::reappliedEditing()|, which is the last step of "redo"
command, to use |correctVisibleSelection()| to validate selection in undo stack
like |Editor::unappliedEditing()|, which is the last step of "undo" command.

The root cause of  issue 669127  is "redo" command attempt to set selection
anchored with SELECT element in OPTION element out of SELECT element. Since this
SELECT element isn't appeared in flat tree,
|SelectionAdjuster::adjustSelectionInFlatTree()| is failed with |nullptr| of
parent of that.

BUG= 669127 
TEST=LayoutTests/editing/undo/redo_correct_selection.html

Review-Url: https://codereview.chromium.org/2532393002
Cr-Commit-Position: refs/heads/master@{#435191}

[add] https://crrev.com/c5d325233d9e3e7b35aa65ee4a6b78261fb9c94c/third_party/WebKit/LayoutTests/editing/undo/redo_correct_selection.html
[modify] https://crrev.com/c5d325233d9e3e7b35aa65ee4a6b78261fb9c94c/third_party/WebKit/Source/core/editing/Editor.cpp

Comment 6 by yosin@chromium.org, Nov 30 2016

Status: Fixed (was: Started)
Project Member

Comment 7 by ClusterFuzz, Dec 1 2016 

ClusterFuzz has detected this issue as fixed in range 435159:435209.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6482947999006720

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000011
Crash State:
  blink::Node::updateDistribution
  blink::comparePositions
  blink::normalizeRange
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=362082:362102
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=435159:435209

Minimized Testcase (5.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97j2htckhxeFdg7f_9r9nnADT5uT8fA8L59njIfV6QqyJVzQd6u0HoBVvBxsX_yiewglDVLNi89Gu7w8rySNP7zwdFDZWRjY9tP2Tm-qArwcl1afNn97vt-HiT_pJQ0YPiAOwrOACmO4bxoMg0nK1nRr3V_ZA?testcase_id=6482947999006720

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment