New issue
Advanced search Search tips

Issue 673153 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Jun 2017
Cc:
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

nextListChild != listChildNode (BDO(editable)) in InsertListCommand.cpp

Project Member Reported by ClusterFuzz, Dec 11 2016 
Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6425629132324864

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  nextListChild != listChildNode (BDO(editable)) in InsertListCommand.cpp
  blink::InsertListCommand::unlistifyParagraph
  blink::InsertListCommand::doApplyForSingleParagraph
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=311376:311461

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95u-k0e7QCpCYvDua8BI8D9nR6wXq_mYgn0nVprmbKSLIVmbUCy3j7mx5SFe0ioMP4Vb9O6nsYUWO3gVB019yQNqccYpxrEH2nPUjVe3v7-TuEPBf69zdvwAnwq-d_j1hHcCghZg4hUxsIS0GBlXvIENdEZvD4f0fIYcnb7-YWKPFw2wI4?testcase_id=6425629132324864


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by durga.behera@chromium.org, Dec 12 2016

Components: Blink>Editing
Labels: Test-Predator-Wrong
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)
Possible suspect from code search on the file "InsertListCommand.cpp".
https://codereview.chromium.org/2405223002
xiaochengh@ : Could you please take a look into this if its related to your change.

Comment 2 by xiaoche...@chromium.org, Dec 13 2016

Components: -Blink>Editing Blink>Editing>Command
Labels: -Pri-1 Pri-2
Lowering to P2 due to low usage of document.execCommand('insertUnorderedList')

The same assertion is hit by a much simpler test case:

<!doctype html>
<div contenteditable>
  <ul>
    <div>
      <p>foo</p>
      <p>bar</p>
      <p>baz</p>
    </div>
  </ul>
</div>
<script>
getSelection().collapse(document.querySelectorAll('p')[1].firstChild, 0); // <p>|bar</p>
document.execCommand('InsertUnorderedList');
</script>

Suspect: In function enclosingListChild, it says "Check for a list item element, or for a node whose parent is a list element. Such a node will appear visually as a list item (but without a list marker)", which is not true for this case. The elements appearing as list items are the <p>s instead of the <div> under <ul>, but enclosingListChild returns <div>.

Comment 3 by xiaoche...@chromium.org, May 10 2017

Owner: ----
Status: Available (was: Assigned)

Comment 4 by yosin@chromium.org, May 22 2017

Labels: Pri-3
Bulk set to Pri-3 for cluster fuzz bugs.
Since these issues are happens with unusual HTML.
Project Member

Comment 5 by ClusterFuzz, Jun 21 2017

Status: WontFix (was: Available)
ClusterFuzz testcase 6425629132324864 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment