VIDEO w/ text track in content editable crash |
|||||||
Issue descriptionDetailed report: https://cluster-fuzz.appspot.com/testcase?key=6539945784377344 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !needsLayoutTreeUpdate(m_base) in VisibleSelection.cpp blink::VisibleSelectionTemplate<>::validate blink::VisibleSelectionTemplate<>::VisibleSelectionTemplate Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=450347:450395 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97wT9m14w1HDsPm1YWfHCM7nOqpkRN-_n1AAkFD4DVdGyHbMHyG409vxCe0BebNBJjK3Y1QVet2rg2BP-4nZ6vWxTuHhIiqKHNu1JjshFWad4ppz9ft3voqwstuzhZZAdSoL0R_aC1eyG0qpKYb5BVv1yNrNCEr82dFfvfrjz4aQzgfFywJ3T6xKpZvAJ-QAiyyGe_XyEDUXPf8bZ35xr2sSeizH5YZYrMOByJkQpYZYxwBt5qvRZOx8192-MJEZ34Oj5nPTYcp8N5gxq-hmccdcE0u6vWgCOQJo2V7HGjWj2ASA1jUd95mhjM_SJd3dgFwmhyIrXYvEQaQ1yaXzT0xYnV_hoFneeV-L6seCL9yRV93cRk?testcase_id=6539945784377344 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Mar 6 2017
,
Mar 6 2017
,
Mar 7 2017
,
Mar 7 2017
This bug has the same root cause as issue 372245 that, when there is <track>, DOM is modified during layout update. Btw, I would like to merge it to 372245, but sometimes ClusterFuzz closes bugs incorrectly. It seems that if I merge a CF bug A into another non-CF bug B, CF closes B when A no longer reproduces. This can be wrong because the non-reproduction is sometimes due to test flakiness, not due to a fix.
,
Mar 17 2017
Not reproduced. REDO
,
Mar 29 2017
Lower to Pri-2, since this bug is blocked by issue 372245 . I could reproduce with following minimized HTML: (Need white.webm in a folder where HTML file in) <div contenteditable id="div"> <video src="white.webm"><track></video> <script> div.focus(); document.getElementsByTagName('track')[0].track.mode = 'showing'; </script>
,
Apr 11 2017
ClusterFuzz has detected this issue as fixed in range 463085:463443. Detailed report: https://clusterfuzz.com/testcase?key=6539945784377344 Fuzzer: inferno_layout_test_unmodified Job Type: linux_debug_content_shell_drt Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !needsLayoutTreeUpdate(m_base) in VisibleSelection.cpp blink::VisibleSelectionTemplate<>::validate blink::VisibleSelectionTemplate<>::VisibleSelectionTemplate Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=450347:450395 Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=463085:463443 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95K5-4y0xstvez-CNAhbS9mkmB1QX7kkGIriO7d4AH-g1xdkDdST6CUceakEpJsXOJlnmsA6h9uvsgUBqYkVBM3WLJzRT3t5rIOQHWkhzzEtCZOcfU2aMP4V9IcIR_a6KHc-iGGCdzD7GtnpPjqyYjynrntUz8QdeKGI5RFBUl1Jwh_D--uufWmZfp8pfGrPxtdjbyHbFt4Mg12YTOwFmM3eBanGZH8EukztwcWaUjoRUNnGmYl8oCg6bFo2FVp3wR_fhGev1Ykt98jcoZH0O4ZbezFMT0nzxSr0CKRJ0epc5scqqxhMsyFUCkRYDgTGfin3ngi4RjxcD9aOgTXyJwggObqbuy2_jNi_XjXLV-M1mjIezpFzoJJqjVpxpcGAjO9Ep-AUmV7kD7jDgvo_6Zam7Kb_A?testcase_id=6539945784377344 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 11 2017
Mark Fixed according to #c8 |
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by msrchandra@chromium.org
, Mar 1 2017Labels: Test-Predator-Wrong M-58
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)