ReplaceSelectionCommand::mergeEndIfNeeded not passing whole paragraphs to CompositeEditCommand::moveParagraph |
||||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=5779328795410432 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: isStartOfParagraph(startOfParagraphToMove). BUTTON class="CLASS7 CLASS6" (editab blink::CompositeEditCommand::moveParagraph blink::ReplaceSelectionCommand::mergeEndIfNeeded Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=380105:380146 Minimized Testcase (3.15 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ClC5CIKeJKiYOgyHYCQj6q99QLAJM2sgMdfTR4CTMMqMXfYqol_6wurGs0y8fl5OsX2AC43ivB3zjH6dbcVJ-STjogEPZVYEq973pWIPhrSwznBgzZCqEhrGbcqdayiZhgZRU0JUyIcPr8ZBdcuyldd_s3w?testcase_id=5779328795410432 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 25 2017
The DCHECK hit is due to ReplaceSelectionCommand::mergeEndIfNeeded passing an incorrect VisiblePosition to CompositeEditCommand::moveParagraph. The latter function expects a position that's at the start of a paragraph, but the former calculates a position that's not. However, the code calculating this positiion dates back to r38144 and I have no idea why it's doing that... Anyone with any idea is free to take this bug... Relevant code snippet: // Merging two paragraphs will destroy the moved one's block styles. Always // move the end of inserted forward to preserve the block style of the // paragraph already in the document, unless the paragraph to move would // include the what was the start of the selection that was pasted into, so // that we preserve that paragraph's block styles. bool mergeForward = !(inSameParagraph(startOfInsertedContent, endOfInsertedContent) && !isStartOfParagraph(startOfInsertedContent)); VisiblePosition destination = mergeForward ? nextPositionOf(endOfInsertedContent) : endOfInsertedContent; VisiblePosition startOfParagraphToMove = mergeForward ? startOfParagraph(endOfInsertedContent) : nextPositionOf(endOfInsertedContent);
,
Jan 25 2017
Correction: I'm referring to this revision in #2 https://chromium.googlesource.com/chromium/src/+/2bc64c8bccb4197171b38138a7df5c4cf355655f%5E%21/third_party/WebKit/WebCore/editing/ReplaceSelectionCommand.cpp
,
Jan 25 2017
,
Mar 17 2017
,
Mar 17 2017
Shorten Testcase, but it hits another crash...
blink_core.dll!blink::SelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >::Builder::collapse(const blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & position) 行 212 C++
blink_core.dll!blink::InsertParagraphSeparatorCommand::doApply(blink::EditingState * editingState) 行 575 C++
blink_core.dll!blink::CompositeEditCommand::applyCommandToComposite(blink::EditCommand * command, blink::EditingState * editingState) 行 183 C++
blink_core.dll!blink::CompositeEditCommand::insertParagraphSeparator(blink::EditingState * editingState, bool useDefaultParagraphElement, bool pasteBlockqutoeIntoUnquotedArea) 行 252 C++
blink_core.dll!blink::ReplaceSelectionCommand::doApply(blink::EditingState * editingState) 行 1143 C++
blink_core.dll!blink::CompositeEditCommand::apply() 行 133 C++
blink_core.dll!blink::executeInsertFragment(blink::LocalFrame & frame, blink::DocumentFragment * fragment) 行 373 C++
blink_core.dll!blink::executeInsertHTML(blink::LocalFrame & frame, blink::Event *, blink::EditorCommandSource, const WTF::String & value) 行 969 C++
blink_core.dll!blink::Editor::Command::execute(const WTF::String & parameter, blink::Event * triggeringEvent) 行 2820 C++
blink_core.dll!blink::Document::execCommand(const WTF::String & commandName, bool, const WTF::String & value, blink::ExceptionState & exceptionState) 行 91 C++
blink_core.dll!blink::DocumentV8Internal::execCommandMethod(const v8::FunctionCallbackInfo<v8::Value> & info) 行 3194 C++
:
<ol>
<table></table>
<select><optgroup label="hoge"><option></optgroup></select>
<textarea></textarea>
<svg< >
<button></button>
<i style="visibility:collapse;-webkit-appearance:square-button;"></i>
</acronym>
<ruby>
<rb style="visibility:collapse;">
<textarea xml:lang="en, nl"></textarea>
<select></select>
<svg></svg>
<table id="t2" style="visibility:collapse;"></table>
</rb>
</ruby>
</svg< >
</ol>
<script>
document.designMode = "on";
document.execCommand("SelectAll");
var oSelection=window.getSelection();
oSelection.modify('move', 'forward', 'documentboundary');
var oRange = oSelection.getRangeAt(0);
oRange.insertNode(t2);
outer = "<select><optgroup><option></option></optgroup></select>";
document.execCommand('InsertHTML',false,outer);
</script>
,
Mar 29 2017
Lower to Pri-2 since it is caused by unusual HTML.
,
May 22 2017
Bulk set to Pri-3 for cluster fuzz bugs. Since these issues are happens with unusual HTML.
,
Jul 29 2017
ClusterFuzz testcase 5779328795410432 is flaky and no longer reproduces, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by mummare...@chromium.org
, Jan 10 2017Labels: Test-Predator-Wrong M-55
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)