Editor::appliedEditing should correct the command's editing selection before setting frame selection |
|||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6200386794029056 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: getFlag isDocumentFragment blink::Node::containsIncludingHostElements Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=410916:411126 Minimized Testcase (1.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95E4oE628nPKHBaQMDFbVLeEmjCH744LNY3JC-2TmhRdJQ_21n4ZWsMVkzKhML1n9ef-CPfuMt1rRmnPqable79PX_5K49GLWRtCeIeA6pauS5EWsDfq8RE91kS1z5p3KulaNYTO8mnys89yNiZ-RzxC7ESc3CRJI13-xx-bGLNXu57PBv8RFqha05gG0rnjXvE8UQqSEqEdB8ogM7pEjipGqBpCSK7aKaLcrEXbWoqQg5BFf6FbUE8nteE1xxGKyip9UVxVELM0lBaHWFs6CjCDqNO-XuX-tIa9t7vTxEt6vFvnj4jMkPgwmDOWYLM7hUl0Vw1pufguS0lbxXgfYkPd2RfTEpVlwdA9gaJzWWriH_RNUQ?testcase_id=6200386794029056 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jan 24 2017
Lowering to P2 due to low usage of 'justifyCenter' It hits an assertion with the following stack trace: [1:1:0124/135159.147304:1108042733148:FATAL:FrameSelection.cpp(184)] Check failed: newSelection.isValidFor(document()). #0 0x7fce8eba536e base::debug::StackTrace::StackTrace() #1 0x7fce8ec1324f logging::LogMessage::~LogMessage() #2 0x7fce8570b553 blink::FrameSelection::setSelectionAlgorithm<>() #3 0x7fce85705d31 blink::FrameSelection::setSelection() #4 0x7fce856f7702 blink::Editor::changeSelectionAfterCommand() #5 0x7fce856f70c9 blink::Editor::appliedEditing() #6 0x7fce8578551e blink::CompositeEditCommand::apply() #7 0x7fce856f6a9e blink::Editor::applyParagraphStyle() #8 0x7fce857a694b blink::executeApplyParagraphStyle() #9 0x7fce857a3d15 blink::executeJustifyCenter() #10 0x7fce8579ff2c blink::Editor::Command::execute() #11 0x7fce8579e1b5 blink::Document::execCommand() We should clearly correct the ending selection with |correctedVisibleSelection| in Editor::appliedEditing before setting the frame selection. Some time is needed to cleanup the test case, though...
,
Mar 1 2017
ClusterFuzz has detected this issue as fixed in range 453791:453840. Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6200386794029056 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: getFlag isDocumentFragment blink::Node::containsIncludingHostElements Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=410916:411126 Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=453791:453840 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95E4oE628nPKHBaQMDFbVLeEmjCH744LNY3JC-2TmhRdJQ_21n4ZWsMVkzKhML1n9ef-CPfuMt1rRmnPqable79PX_5K49GLWRtCeIeA6pauS5EWsDfq8RE91kS1z5p3KulaNYTO8mnys89yNiZ-RzxC7ESc3CRJI13-xx-bGLNXu57PBv8RFqha05gG0rnjXvE8UQqSEqEdB8ogM7pEjipGqBpCSK7aKaLcrEXbWoqQg5BFf6FbUE8nteE1xxGKyip9UVxVELM0lBaHWFs6CjCDqNO-XuX-tIa9t7vTxEt6vFvnj4jMkPgwmDOWYLM7hUl0Vw1pufguS0lbxXgfYkPd2RfTEpVlwdA9gaJzWWriH_RNUQ?testcase_id=6200386794029056 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Mar 1 2017
ClusterFuzz testcase 6200386794029056 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||
►
Sign in to add a comment |
|||
Comment 1 by mummare...@chromium.org
, Jan 20 2017Labels: Test-Predator-Wrong M-56
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)