New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 697300 link

Starred by 2 users
Status: Fixed
Owner: ----
Closed: Apr 2017
Cc:
msrchandra@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Blocked on:
issue 372245


Sign in to add a comment

VIDEO w/ text track in content editable crash

Project Member Reported by ClusterFuzz, Mar 1 2017

Comment 1 by msrchandra@chromium.org, Mar 1 2017

Cc: msrchandra@chromium.org
Labels: Test-Predator-Wrong M-58
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
Predator did not provide any possible suspects.
Assigning to the concern owner from the CL --
https://chromium.googlesource.com/chromium/src/+log/10d86e606392039058783321270ee6a8580da999..cb8b0ad6f72ce2b0127b45362fa24b1721676cbc?pretty=fuller

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/d892f9592860691ae9a782c12260c94ed6bd1a63

@yosin -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by yosin@chromium.org, Mar 6 2017

Status: Available (was: Assigned)

Comment 3 by yosin@chromium.org, Mar 6 2017

Owner: ----

Comment 4 by dtapu...@chromium.org, Mar 7 2017

Components: Blink>Editing

Comment 5 by xiaoche...@chromium.org, Mar 7 2017

Blockedon: 372245
This bug has the same root cause as  issue 372245  that, when there is <track>, DOM is modified during layout update.

Btw, I would like to merge it to 372245, but sometimes ClusterFuzz closes bugs incorrectly. It seems that if I merge a CF bug A into another non-CF bug B, CF closes B when A no longer reproduces. This can be wrong because the non-reproduction is sometimes due to test flakiness, not due to a fix.

Comment 6 by yoichio@chromium.org, Mar 17 2017 

Not reproduced. REDO

Comment 7 by yosin@chromium.org, Mar 29 2017

Labels: -Pri-1 Pri-2
Summary: VIDEO w/ text track in content editable crash (was: !needsLayoutTreeUpdate(m_base) in VisibleSelection.cpp)
Lower to Pri-2, since this bug is blocked by  issue 372245 .

I could reproduce with following minimized HTML:
(Need white.webm in a folder where HTML file in)

<div contenteditable id="div">
<video src="white.webm"><track></video>
<script>
div.focus();
document.getElementsByTagName('track')[0].track.mode = 'showing';
</script>
Project Member

Comment 8 by ClusterFuzz, Apr 11 2017 

ClusterFuzz has detected this issue as fixed in range 463085:463443.

Detailed report: https://clusterfuzz.com/testcase?key=6539945784377344

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !needsLayoutTreeUpdate(m_base) in VisibleSelection.cpp
  blink::VisibleSelectionTemplate<>::validate
  blink::VisibleSelectionTemplate<>::VisibleSelectionTemplate
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=450347:450395
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=463085:463443

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95K5-4y0xstvez-CNAhbS9mkmB1QX7kkGIriO7d4AH-g1xdkDdST6CUceakEpJsXOJlnmsA6h9uvsgUBqYkVBM3WLJzRT3t5rIOQHWkhzzEtCZOcfU2aMP4V9IcIR_a6KHc-iGGCdzD7GtnpPjqyYjynrntUz8QdeKGI5RFBUl1Jwh_D--uufWmZfp8pfGrPxtdjbyHbFt4Mg12YTOwFmM3eBanGZH8EukztwcWaUjoRUNnGmYl8oCg6bFo2FVp3wR_fhGev1Ykt98jcoZH0O4ZbezFMT0nzxSr0CKRJ0epc5scqqxhMsyFUCkRYDgTGfin3ngi4RjxcD9aOgTXyJwggObqbuy2_jNi_XjXLV-M1mjIezpFzoJJqjVpxpcGAjO9Ep-AUmV7kD7jDgvo_6Zam7Kb_A?testcase_id=6539945784377344


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Comment 9 by yosin@chromium.org, Apr 11 2017

Status: Fixed (was: Available)
Mark Fixed according to #c8

Sign in to add a comment