New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 670313 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Feb 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

CompositeEditCommand::moveParagraphs() makes endingSelection() invalid during its processing

Project Member Reported by ClusterFuzz, Dec 1 2016

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4932904636645376

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000020
Crash State:
  blink::hasEditableStyle
  blink::rootEditableElement
  blink::DeleteSelectionCommand::removeRedundantBlocks
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=417193:417214

Minimized Testcase (7.86 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95n4PtOu7tyHJJqgpOAr0gYoobZ-e-3Se2_15rRnKPLXSW2tXQ3YXBVq4hjHtpKcDtbSwOS15d0OtILqPIh5EkVHafaMsCOwTDdplMwF2zRE-oYSdVuaCiYrFwCviWj-oekL64SGYuXVa-vAkIc_PYS99JZbw?testcase_id=4932904636645376

Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
 
Owner: tkent@chromium.org
Status: Assigned (was: Untriaged)
Wildly guessing that this may be: e15391d9a56a210cf5faee97c24bfad856225ea9
tkent, could you take look?

Comment 2 by tkent@chromium.org, Dec 1 2016

Components: Blink>Editing
Owner: ----
Status: Untriaged (was: Assigned)
The CL changed the timing of DOM mutation events, so it might exposed an existing bug in a particular test case.

Route to Editing triage.

Comment 3 by yosin@chromium.org, Dec 2 2016

Labels: -Pri-1 Pri-2
Status: Available (was: Untriaged)
Summary: CompositeEditCommand::moveParagraphs() should validate endingSelection() before calling spell checker (was: Crash in blink::hasEditableStyle)
Lower to Pri-2 since real world usage of "insertHorizontalRule" is low.

The root cause is CompositeEditCommand::moveParagraphs() calls markMisspellingsForMovingParagraphs() with endingSelection() which should be validate again.
Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong-CLs
Owner: xiaoche...@chromium.org
Status: Assigned (was: Available)
Unable to find the possible suspect using Find it and CL.
Using Code Search for the file, "EditingUtilities.cpp" assigning to the concern owner.
Suspecting the commit#
https://chromium.googlesource.com/chromium/src/+/9ceffba8b9056e7a125f5a9fd8eb803816315df7

@xiaochengh -- Could you please look into the issue, kindly re-assign if this is not related to your change.
Thank You.

Components: -Blink>Editing Blink>Editing>Command
Summary: CompositeEditCommand::moveParagraphs() makes endingSelection() invalid during its processing (was: CompositeEditCommand::moveParagraphs() should validate endingSelection() before calling spell checker)
It's more complicated than passing an invalid VisibleSelection to SpellChecker. Even if spell checking is off, this invalid VS is still going to cause other failures:

[1:1:1205/174541.337332:3035614527656:FATAL:VisiblePosition.cpp(73)] Check failed: positionWithAffinity.isConnected(). BR@beforeAnchor/TextAffinity::Downstream
#0 0x7fcc6b9bcfbe base::debug::StackTrace::StackTrace()
#1 0x7fcc6ba29d3f logging::LogMessage::~LogMessage()
#2 0x7fcc62157dda blink::VisiblePositionTemplate<>::create()
#3 0x7fcc6215796b blink::createVisiblePosition()
#4 0x7fcc6215ceca blink::VisibleSelectionTemplate<>::visibleStart()
#5 0x7fcc621a418d blink::CompositeEditCommand::moveParagraphs()
#6 0x7fcc621a5d4d blink::CompositeEditCommand::moveParagraph()
#7 0x7fcc621b3ac7 blink::DeleteSelectionCommand::mergeParagraphs()
#8 0x7fcc621b4bf2 blink::DeleteSelectionCommand::doApply()
#9 0x7fcc6219da4f blink::CompositeEditCommand::applyCommandToComposite()
#10 0x7fcc621a0599 blink::CompositeEditCommand::deleteSelection()
#11 0x7fcc621d9170 blink::ReplaceSelectionCommand::doApply()
#12 0x7fcc6219d792 blink::CompositeEditCommand::apply()
#13 0x7fcc621bf480 blink::executeInsertFragment()
#14 0x7fcc621bf639 blink::executeInsertElement()
#15 0x7fcc621bb261 blink::executeInsertHorizontalRule()
#16 0x7fcc621b817c blink::Editor::Command::execute()
#17 0x7fcc61f04b3d blink::Document::execCommand()

Cc: xiaoche...@chromium.org
Owner: ----
Status: Available (was: Assigned)
Project Member

Comment 7 by ClusterFuzz, Feb 7 2017

ClusterFuzz has detected this issue as fixed in range 448221:448225.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4932904636645376

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000020
Crash State:
  blink::hasEditableStyle
  blink::rootEditableElement
  blink::DeleteSelectionCommand::removeRedundantBlocks
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=417193:417214
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=448221:448225

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95n4PtOu7tyHJJqgpOAr0gYoobZ-e-3Se2_15rRnKPLXSW2tXQ3YXBVq4hjHtpKcDtbSwOS15d0OtILqPIh5EkVHafaMsCOwTDdplMwF2zRE-oYSdVuaCiYrFwCviWj-oekL64SGYuXVa-vAkIc_PYS99JZbw?testcase_id=4932904636645376


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, Feb 7 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 4932904636645376 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment