New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 697319 link

Starred by 3 users

Issue metadata

Status: Verified
Owner:
Last visit > 30 days ago
Closed: Mar 2017
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::StaticRange::create

Project Member Reported by ClusterFuzz, Mar 1 2017

Issue description

Components: Blink>Editing
Cc: msrchandra@chromium.org
Labels: Test-Predator-Correct-CLs M-58
Owner: chongz@chromium.org
Status: Assigned (was: Untriaged)
Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: chongz
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/73324e59ad313ca374603b571167e688ca505080
Time: Mon Feb 27 19:55:29 2017
Lines 2075-2080 of file EditingUtilities.cpp which potentially caused crash are changed in this cl (frame #4, "blink::targetRangesForInputEvent"). 

File EditorCommand.cpp is changed in this cl (and is part of stack frame #5, "blink::Editor::Command::getTargetRanges"; frame #6, "blink::Editor::Command::execute")
Minimum distance from crash line to modified line: 0. (file: EditingUtilities.cpp, crashed on: 2080, modified: 2080).

@chongz -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 3 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b05824d69f2a8403552ef9e29bebdece24005400

commit b05824d69f2a8403552ef9e29bebdece24005400
Author: chongz <chongz@chromium.org>
Date: Fri Mar 03 17:46:30 2017

[InputEvent] Add null check before converting Range to StaticRange

It's possible for |firstRangeOf()| to return null (see test case), and we shouldn't try to
construct StaticRange in this case.

BUG= 697319 

Review-Url: https://codereview.chromium.org/2727293003
Cr-Commit-Position: refs/heads/master@{#454614}

[add] https://crrev.com/b05824d69f2a8403552ef9e29bebdece24005400/third_party/WebKit/LayoutTests/fast/events/inputevents/inputevent-invalid-selection-crash.html
[modify] https://crrev.com/b05824d69f2a8403552ef9e29bebdece24005400/third_party/WebKit/Source/core/editing/EditingUtilities.cpp

Project Member

Comment 4 by ClusterFuzz, Mar 4 2017

ClusterFuzz has detected this issue as fixed in range 454459:454618.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5984750864171008

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000008
Crash State:
  blink::StaticRange::create
  blink::targetRangesForInputEvent
  blink::Editor::Command::getTargetRanges
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=453249:453322
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=454459:454618

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94fGP5WDp2pAB1hN09Lwia0pX7AXg4heWUf5eZmAitl_oBR0gEOdxYj23b62HSS8uln2qlRdqEfAS6SeMApUevomUpI0nEmpfjtMi4GsU2AclA9W-_iPPb4_QfbOvHIyqimMWwwqTbk7xeHrQ1M1wOAy2Ondma-TjB9PNQcbcpH65NXW1UKo_tXjZ4nAcGxKd4N90QuC6R3sKqCK9d0ykO2oIimUSrqSEfo4PQk_U5K8-zuT75qvpFXptvS4tSuN4gRGfMNv-c1CMEQuPrxrrhcLxV8TXF-D-vFS4OmOV2b9q_N1PWuaibuVc_okl-L81X_BJC6nB45JiLXTBW3C2JQnkkluoe_HzmQrxW5oD_Yt-BjSeQ?testcase_id=5984750864171008


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Mar 4 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 5984750864171008 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Comment 6 by chongz@chromium.org, Mar 22 2017

Issue 704076 has been merged into this issue.

Comment 7 by chongz@chromium.org, Mar 22 2017

Labels: Merge-Request-58
Project Member

Comment 8 by sheriffbot@chromium.org, Mar 22 2017

Labels: -Merge-Request-58 Hotlist-Merge-Approved Merge-Approved-58
Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by chongz@chromium.org, Mar 22 2017

Labels: -Merge-Approved-58 merge-merged-3029
Merged in patch https://codereview.chromium.org/2763833006 but not sure why it doesn't show up here.

Sign in to add a comment