node in CompositeEditCommand.cpp |
|||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=4800242794102784 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: node in CompositeEditCommand.cpp blink::CompositeEditCommand::isRemovableBlock blink::DeleteSelectionCommand::removeRedundantBlocks Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=388139:388165 Minimized Testcase (2.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ZvHhjFEVY0tUnt5jhZc6Vj-WRFIMwOlUl-jbFJvxsU97o-VP74cJ4NwaReSV4PBIEE8qZ1q-eGkMGeu3KXCsvHiSiyoIINmpwzPoU6PWiWgqxIY93jkdXQ60TrfwB_pT9xbMtWWmTSTtTLA1Up2mdZotImw?testcase_id=4800242794102784 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Dec 20 2016
My bisect hints that this is a long standing issue (probably even before r200000 etc.) but I cannot locate the exact CL. However according to the stack trace it doesn't seems to be a difficult bug, will see if I can fix it. ``` void DeleteSelectionCommand::removeRedundantBlocks(EditingState* editingState) { Node* node = m_endingPosition.computeContainerNode(); LOG(ERROR) << "removeRedundantBlocks: " << node; Element* rootElement = rootEditableElement(*node); while (node && node != rootElement) { if (isRemovableBlock(node)) { if (node == m_endingPosition.anchorNode()) updatePositionForNodeRemovalPreservingChildren(m_endingPosition, *node); CompositeEditCommand::removeNodePreservingChildren(node, editingState); if (editingState->isAborted()) return; node = m_endingPosition.anchorNode(); LOG(ERROR) << "node = m_endingPosition.anchorNode(): " << node; } else { node = node->parentNode(); LOG(ERROR) << "node = node->parentNode(): " << node; } } } ``` ``` DeleteSelectionCommand.cpp(1022)] removeRedundantBlocks: LI (editable) DeleteSelectionCommand.cpp(1037)] node = node->parentNode(): UL (editable) DeleteSelectionCommand.cpp(1037)] node = node->parentNode(): DIV (editable) DeleteSelectionCommand.cpp(1034)] node = m_endingPosition.anchorNode(): LI DeleteSelectionCommand.cpp(1037)] node = node->parentNode(): UL DeleteSelectionCommand.cpp(1037)] node = node->parentNode(): null ```
,
Dec 22 2016
,
Dec 22 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/3c4ea2111cb111f66c87f8cd6bf3909eeaa15c9b commit 3c4ea2111cb111f66c87f8cd6bf3909eeaa15c9b Author: chongz <chongz@chromium.org> Date: Thu Dec 22 18:54:16 2016 [Editing] Add null check in |DeleteSelectionCommand::removeRedundantBlocks()| The root cause is we are removing & re-inserting children nodes during |CompositeEditCommand::removeNodePreservingChildren()|, which means if the child contains style "* {-webkit-user-modify: read-write;}" we won't be able to re-insert it back as parent has lost editable attribute as soon as we've removed it. BUG= 675727 Review-Url: https://codereview.chromium.org/2595783002 Cr-Commit-Position: refs/heads/master@{#440459} [modify] https://crrev.com/3c4ea2111cb111f66c87f8cd6bf3909eeaa15c9b/third_party/WebKit/Source/core/editing/BUILD.gn [modify] https://crrev.com/3c4ea2111cb111f66c87f8cd6bf3909eeaa15c9b/third_party/WebKit/Source/core/editing/commands/ApplyStyleCommand.h [add] https://crrev.com/3c4ea2111cb111f66c87f8cd6bf3909eeaa15c9b/third_party/WebKit/Source/core/editing/commands/ApplyStyleCommandTest.cpp [modify] https://crrev.com/3c4ea2111cb111f66c87f8cd6bf3909eeaa15c9b/third_party/WebKit/Source/core/editing/commands/DeleteSelectionCommand.cpp
,
Dec 22 2016
,
Dec 23 2016
ClusterFuzz has detected this issue as fixed in range 440451:440487. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4800242794102784 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: node in CompositeEditCommand.cpp blink::CompositeEditCommand::isRemovableBlock blink::DeleteSelectionCommand::removeRedundantBlocks Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=388139:388165 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=440451:440487 Minimized Testcase (2.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ZvHhjFEVY0tUnt5jhZc6Vj-WRFIMwOlUl-jbFJvxsU97o-VP74cJ4NwaReSV4PBIEE8qZ1q-eGkMGeu3KXCsvHiSiyoIINmpwzPoU6PWiWgqxIY93jkdXQ60TrfwB_pT9xbMtWWmTSTtTLA1Up2mdZotImw?testcase_id=4800242794102784 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 6 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by mummare...@chromium.org
, Dec 19 2016Labels: Test-Predator-Wrong M-57
Owner: chongz@chromium.org
Status: Assigned (was: Untriaged)