New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 697392 link

Starred by 1 user
Status: Fixed
Owner: ----
Closed: Mar 2017
Cc:
brajkumar@chromium.org
msrchandra@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 1
Type: Bug



Sign in to add a comment

Crash in blink::Node::containsIncludingHostElements

Project Member Reported by ClusterFuzz, Mar 1 2017

Comment 1 by msrchandra@chromium.org, Mar 1 2017

Cc: msrchandra@chromium.org
Components: Blink>DOM
Labels: Test-Predator-Wrong M-58
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
Predator and CL did not provide any possible suspects.
Using Code Search for the file, "FrameSelection.cpp" from Git Blame assigning to the concern owner.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/d892f9592860691ae9a782c12260c94ed6bd1a63

@yosin -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by yosin@chromium.org, Mar 6 2017

Status: Available (was: Assigned)

Comment 3 by yosin@chromium.org, Mar 6 2017

Owner: ----

Comment 4 by tkent@chromium.org, Mar 15 2017

Components: -Blink>DOM Blink>Editing

Comment 5 by yoichio@chromium.org, Mar 16 2017 

Redo

Comment 6 by kochi@chromium.org, Mar 16 2017 

yoichio@ this looks identical to  issue 677593  - if you can confirm, could you
merge to one?

Comment 7 by yoichio@chromium.org, Mar 16 2017

Cc: brajkumar@chromium.org
 Issue 677593  has been merged into this issue.

Comment 8 by kochi@chromium.org, Mar 17 2017 

Throwing the unminimized test case from the clusterfuzz page to
M57 stable chrome (57.0.2987.98 64bit win) reproduced crash locally.
(fyi, my crash is crash/595673c660000000 )
I have never succeeded in reproducing this on Linux.

yoichio@, could you own this?  The backtrace indicates that
selection is being recomputed by innerHTML call.
(innerHTML -> removeChildren -> computePositionForChildrenRemoval)

Comment 9 by yosin@chromium.org, Mar 29 2017

Status: Fixed (was: Available)
Mark Fixed since the test case doesn't crash on canary and ToT.
Project Member

Comment 10 by ClusterFuzz, Apr 17 2017 

ClusterFuzz has detected this issue as fixed in range 450818:452941.

Detailed report: https://clusterfuzz.com/testcase?key=5981318900088832

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00000008
Crash State:
  blink::Node::containsIncludingHostElements
  blink::computePositionForChildrenRemoval
  blink::FrameSelection::nodeChildrenWillBeRemoved
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=443903:443909
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=450818:452941

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95X99NVgAp-UmMnBcfBOnjzYfyKWHC3O5w-1y7FS4kDa04_wcS4a__6-RGXQgtrKvh5ymgokM3Bz7oExUVpgtRJ0dHTLjCrEtvQ_c22J2NhF75ECo4fhkiPpmMjR299i1kXECnRuQkW3END3XVDQNGeT3OqShbR8Vh0KY_s3CcAAaLvpt7lredNtC6mmJATYKQn9TdPrW996XzvAcU084YU_B5imM7gS830W3QJr9qRl5nNzI2AiepE5bKIgp2wRwQXiis040XTH0n1eWuU4XuaHV0Vpcrjs8NVCNX61zfetxCFYQp-LZG8fJ6hOaZQQlx2Hy2HAwN-d61zV2H2X1xq_Sjqa67qt709Q3Qsj_lD338nP84?testcase_id=5981318900088832


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Sign in to add a comment