Issue 697315 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	tkent@chromium.org
Closed:	Mar 2017
Cc:	editing-dev@chromium.org
Components:	Blink>Editing>Command
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	2
Type:	Bug
Stability-Crash Reproducible Clusterfuzz M-58 Test-Predator-Wrong

Blocking:
issue 657462

FormatBlock command crashes with display:table

Project Member Reported by ClusterFuzz, Mar 1 2017

Issue description

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4719629877641216

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isEditablePosition(position). BODY (editable)@offsetInAnchor[0 in EditingUtiliti
  blink::trailingWhitespacePosition
  blink::DeleteSelectionCommand::initializePositionData
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=371266:371274

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95Bxkfbd60RiZWxALYnBp-5snrBGe5GXvzuCl-9nuea4kyorgtXSxYJ1YNx2O2Eg3jmTfTPpTMvQIaWfDwlVCChhZeHiHXjY7dgyKAviuTPwmavQtVAWOoARxll2_xrkiRqyy8Wn9uQ04Zz3kFMhFrFHPQRPSwII41lP4dgLmmKglFMzsH91eg4PfyY_J7pPhQVA4vrcGqIhJvgM3qD_MSgVfv-vuKKtIFEGD9ZaeH4N4QZ7VPm8IT1hvO7NRMev-c3ieZoTjHnxNplP14op8IHYNA3lGdO_AeyWADjU1TIxb3ybomlsNVRwRNKkcuBdyGcsgUVLFH5Zp-WXpQ9IDtS7cOENpLDjcFocqHXyYKQjW6F6H_ofDZ3MKkYNGVOnUsP2L-0I32JE1WG-zJpu5wKiDbDhg?testcase_id=4719629877641216


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by mummare...@chromium.org, Mar 2 2017

Components: Blink>Editing
Labels: Test-Predator-Wrong M-58
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)

Through code search on file EditingUtilities.cpp, suspected CL is 
https://chromium.googlesource.com/chromium/src/+/48aff7a40b37530a9f0c63e7169fecab3bf685d1
yosin, could you please take a look?
Thank you.

Comment 2 by yosin@chromium.org, Mar 2 2017

Components: -Blink>Editing Blink>Editing>Command
Labels: -Pri-1 Pri-2
Owner: ----
Status: Available (was: Assigned)
Summary: FormatBlock command crashes with display:table (was: isEditablePosition(position). BODY (editable)@offsetInAnchor[0 in EditingUtiliti)

Lower to Pri-2, since real world usage of FormatBlock command is low.

Comment 3 by tkent@chromium.org, Mar 16 2017

Blocking: 657462

Comment 4 by tkent@chromium.org, Mar 16 2017

Owner: tkent@chromium.org
Status: Started (was: Available)

Project Member

Comment 5 by bugdroid1@chromium.org, Mar 16 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/af861c1f7d2bfe863febea4fd6a5d14483c30b48

commit af861c1f7d2bfe863febea4fd6a5d14483c30b48
Author: tkent <tkent@chromium.org>
Date: Thu Mar 16 10:45:44 2017

Editing: Content of display:table elements should be editable.

There are no problems with adding arbitrary content to an element with
display:table if it's not <table>.

This CL fixes broken editing/deleting/display-table.html.

Because we don't want to change TextIterator behavior, this CL copies the old
implementation of isDispalyInsideTable() to TextIterator.cpp.

BUG= 697315 

Review-Url: https://codereview.chromium.org/2757553002
Cr-Commit-Position: refs/heads/master@{#457393}

[modify] https://crrev.com/af861c1f7d2bfe863febea4fd6a5d14483c30b48/third_party/WebKit/LayoutTests/editing/deleting/display-table.html
[modify] https://crrev.com/af861c1f7d2bfe863febea4fd6a5d14483c30b48/third_party/WebKit/Source/core/editing/EditingUtilities.cpp
[modify] https://crrev.com/af861c1f7d2bfe863febea4fd6a5d14483c30b48/third_party/WebKit/Source/core/editing/EditingUtilities.h
[modify] https://crrev.com/af861c1f7d2bfe863febea4fd6a5d14483c30b48/third_party/WebKit/Source/core/editing/iterators/TextIterator.cpp

Comment 6 by tkent@chromium.org, Mar 16 2017

Status: Fixed (was: Started)

Project Member

Comment 7 by ClusterFuzz, Mar 18 2017

ClusterFuzz has detected this issue as fixed in range 456626:457730.

Detailed report: https://clusterfuzz.com/testcase?key=4719629877641216

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isEditablePosition(position). BODY (editable)@offsetInAnchor[0 in EditingUtiliti
  blink::trailingWhitespacePosition
  blink::DeleteSelectionCommand::initializePositionData
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=371266:371274
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=456626:457730

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv976_O_NSFyhZ5yTPxJSuFrknHJObJKNa6TPJjPaJMJQT0XIp8AVBi3FPidNwNMyvbpgeAmp80gkd9iA-S2zvS19Ig56lJLVtXW4e8coMykWlNvMnXlLICjR6PwloeNYK8r0LKmUjJ2tHRetcLujvxVctzXm2E0OOMvGCK2-fKlEnawTWGEEh2aplSvhwFh1XGXP1jL4PjfefjuKnkRHlLdZK6dF2xa2OuLeUnmrxTVAsWrP6zQcuEGF0T_t8ilkxhX7m-UuV97Yk7BV5qpPN5E9P4eH8XTyniCkii_0MW_8FgkrHuNGT-gvXrr1RG02QQAjc707OHFDk4APNaqGeGU5EpwniR12lMlI70LSYKs6ExK733MEfl8nKUBGLL5iwCV8nws1ft7Vxm9TWBF5kH_pyyIblg?testcase_id=4719629877641216


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 697315 link

Issue metadata

FormatBlock command crashes with display:table

Issue description

Comment 1 by mummare...@chromium.org, Mar 2 2017

Comment 1 Deleted

Comment 2 by yosin@chromium.org, Mar 2 2017

Comment 2 Deleted

Comment 3 by tkent@chromium.org, Mar 16 2017

Comment 3 Deleted

Comment 4 by tkent@chromium.org, Mar 16 2017

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Mar 16 2017

Comment 5 Deleted

Comment 6 by tkent@chromium.org, Mar 16 2017

Comment 6 Deleted

Comment 7 by ClusterFuzz, Mar 18 2017

Comment 7 Deleted

Sign in to add a comment