DCHECK hit in CompositeEditCommand.cpp: isStartOfParagraph(startOfParagraphToMove) |
||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6375875823271936 Fuzzer: bj_broddelwerk Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: getFlag isConnected blink::Node::isDescendantOf Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=434830:434865 Minimized Testcase (5.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97wT5vS2SA9gVJPz5RiFdWbWWkpfIlxLahyx5CYGi-gM-9iS1o1ojKUs3FJo-wjGms_hpChW7ZLUT6p4pRkPVefYOawGZq0aCDnh1OMXQEdbrI81ASI-e4JDGjdnhpwanRXahiIGk24pYyoLw8_x7Te5jau5Q?testcase_id=6375875823271936 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 19 2016
Using Find it, assigning to the concern owner. Below are the find it results -- The result is a list of CLs that change the crashed files. Author: xiaochengh Project: chromium Changelist: https://chromium.googlesource.com/chromium/src/+/3e1ec97972c1e09d8e472aad4cf225d1ffc5dfef Time: Tue Nov 29 02:50:14 2016 File CompositeEditCommand.cpp is changed in this cl (and is part of stack frame #3, "blink::CompositeEditCommand::cloneParagraphUnderNewElement"; frame #4, "blink::CompositeEditCommand::moveParagraphWithClones") Minimum distance from crash line to modified line: 74. (file: CompositeEditCommand.cpp, crashed on: 1440, modified: 1514). @xiaochengh -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Jan 5 2017
Deprioritized to P2 due to low usage of document.execCommand('insertUnorderedList')
Hits DCHECK before running into the null-ptr-access in the report:
[1:1:0105/143314.638486:5702467828698:FATAL:CompositeEditCommand.cpp(1513)] Check failed: isStartOfParagraph(startOfParagraphToMove). #text "\n"@offsetInAnchor[1]/TextAffinity::Downstream
#0 base::debug::StackTrace::StackTrace()
#1 logging::LogMessage::~LogMessage()
#2 blink::CompositeEditCommand::moveParagraph()
#3 blink::InsertListCommand::moveParagraphOverPositionIntoEmptyListItem()
#4 blink::InsertListCommand::listifyParagraph()
#5 blink::InsertListCommand::doApplyForSingleParagraph()
#6 blink::InsertListCommand::doApply()
#7 blink::CompositeEditCommand::apply()
#8 blink::executeInsertOrderedList()
#9 blink::Editor::Command::execute()
,
Feb 17 2017
ClusterFuzz has detected this issue as fixed in range 450943:450980. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6375875823271936 Fuzzer: bj_broddelwerk Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: getFlag isConnected blink::Node::isDescendantOf Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=434830:434865 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=450943:450980 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97wT5vS2SA9gVJPz5RiFdWbWWkpfIlxLahyx5CYGi-gM-9iS1o1ojKUs3FJo-wjGms_hpChW7ZLUT6p4pRkPVefYOawGZq0aCDnh1OMXQEdbrI81ASI-e4JDGjdnhpwanRXahiIGk24pYyoLw8_x7Te5jau5Q?testcase_id=6375875823271936 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 17 2017
ClusterFuzz testcase 6375875823271936 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by tkent@chromium.org
, Dec 18 2016Summary: Crash in CompositeEditCommand::cloneParagraphUnderNewElement (was: Crash in getFlag)