New issue
Advanced search Search tips

Issue 692371 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

FrameSelection::selectAll() should work only for attached document

Project Member Reported by ClusterFuzz, Feb 15 2017

Issue description

Cc: nyerramilli@chromium.org
Components: Blink>Editing
Labels: Test-Predator-Correct-CLs M-58
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
based on Findit results, assigning to yosin@, could you please check the issue.

The result is a list of CLs that change the crashed files. 

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d892f9592860691ae9a782c12260c94ed6bd1a63
Time: Tue Feb 14 15:56:00 2017
Lines 233-247 of file FrameSelection.cpp which potentially caused crash are changed in this cl (frame #3, "blink::FrameSelection::setSelection").
Minimum distance from crash line to modified line: 0. (file: FrameSelection.cpp, crashed on: 233, modified: 233).

Comment 2 by yosin@chromium.org, Feb 20 2017

Components: -Blink>Editing Blink>Editing>Selection
Labels: -Pri-1 Pri-2
Owner: ----
Status: Available (was: Assigned)
Summary: FrameSelection::selectAll() should work only for attached document (was: Crash in blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets)
Lower to Pri-2, since the script attempt to execute "selectAll" command for detached IFRAME.
Project Member

Comment 3 by ClusterFuzz, Mar 9 2017

ClusterFuzz has detected this issue as fixed in range 455091:455392.

Detailed report: https://clusterfuzz.com/testcase?key=5338142749229056

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000000005b0
Crash State:
  blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets
  blink::Document::updateStyleAndLayoutIgnorePendingStylesheets
  blink::FrameSelection::setSelection
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=450347:450401
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=455091:455392

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv964HeXM0kVzEy0j4jGl67LbK3ZqZLMDE9xUn0oQ_Jv0tK0pZ-0ae2Rwy1RohNNesHyoTD8gl8OZtp9e7fzBUZSTjPQkmdw5z0OMmwubBDpsW7TcNGwvYkuAY4bg4i5Ix_W4BPF-NMROW-L2kB3nKrtGaJmIF-Ca4YaTzqXj96JPYn0h43NGg04PyyI9Q1XObymX4wJanhHIRSycydvOE26wMRmUmFD3d_Lp2HI71Ei_cZ_FsiqE1jmsjr2bYgqG4-THZO0ABFpALLJFejVoHAMp1ORRaUuL2vxl7HyQ0gdwcgEhoPKPjwXbWgxS6z09XxKGmqRh-d57JC3BVEWggkTkd_eUtE60X8vwhN8vxvzohoqu5bz0OuOXxm8o7mgJpBhvGcMH3ASuv6TvXRl7WQ3u70zB_Q?testcase_id=5338142749229056


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 4 by ClusterFuzz, Mar 9 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 5338142749229056 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment