Crash in blink::FlatTreeTraversal::TraverseChild |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5001552394977280 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::FlatTreeTraversal::TraverseChild blink::FlatTreeTraversal::ChildAt blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversa Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=454233:454289 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95MuacFhb26QOpG06OcjsNbW4qqfPKQkM5ZfPF_cj1Huh7fSCDt3Vi0sudYoxO-LtYzugw1UGKk9SCdc_wv2yksA20XBwyaJM8fQwWp2ivoQ_ZWlNBew0sZzAdEiXUdRm3QWaJACaGvnXaxdFcioC7fvBePxLKyk16W1veGTbZ-A9jGCiW9iQ62sA4IeO3SmRIzUQYmcZpbtouvxhGaDKl95NImLTpxIxz5fdjFGeF1uKoCtlewqmPnxatBDXTq1_FAM1E1ByWXT5m1r5RpBwR9sjFbISHcxp0hyCY57g6pbXQ_bbmPcfXENwZFlB6a5jekAZjlfrQ60YgyBYtp8_G01RjwE_3Hv4SY7v_KJvi8DbpF4Etard9ESi_nNjcfez0WDbE7yK10hkbyT9SU7m7Fd7PAmw?testcase_id=5001552394977280 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Apr 12 2017
Here is minimized HTML:
<input>
<script>
document.execCommand('selectAll');
getSelection().modify('extend', 'forward', 'sentence');
document.body.createShadowRoot();
</script>
,
Apr 12 2017
Lower to Pri-2, since real world usage of Selection#modify() with 'sentence' is low.
,
Apr 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0cbb9fc2999813a837b8ee0483f77e3879cc25e0 commit 0cbb9fc2999813a837b8ee0483f77e3879cc25e0 Author: xiaochengh <xiaochengh@chromium.org> Date: Thu Apr 27 15:04:10 2017 Stop flat tree selection canonicalization from using invalid positions There are some valid DOM positions (*) that do not have corresponding valid flat tree positions. This patch adds special handling of such DOM positions, so that when computing VisibleSelectionInFlatTree from SelectionInDOMTree, such positions are converted to NULL instead of invalid flat tree positions, so that the renderer does not crash. (*) If NODE is a direct child of a shadow host but is not distributed into the flat tree, NODE@BeforeAnchor and NODE@AfterAnchor are valid Position but invalid PositionInFlatTree. This patch handles these two kind of positions. BUG= 702756 , 709872 , 712984 TEST=FrameSelectionTest.SelectInvalidPositionInFlatTreeDoesntCrash Review-Url: https://codereview.chromium.org/2850443002 Cr-Commit-Position: refs/heads/master@{#467676} [modify] https://crrev.com/0cbb9fc2999813a837b8ee0483f77e3879cc25e0/third_party/WebKit/Source/core/editing/FrameSelectionTest.cpp [modify] https://crrev.com/0cbb9fc2999813a837b8ee0483f77e3879cc25e0/third_party/WebKit/Source/core/editing/Position.cpp [modify] https://crrev.com/0cbb9fc2999813a837b8ee0483f77e3879cc25e0/third_party/WebKit/Source/core/editing/SelectionEditor.cpp
,
Apr 28 2017
With the fix landed, will redo next week.
,
Apr 28 2017
ClusterFuzz has detected this issue as fixed in range 467672:467685. Detailed report: https://clusterfuzz.com/testcase?key=5001552394977280 Fuzzer: ifratric-browserfuzzer-v3 Job Type: mac_asan_chrome Platform Id: mac Crash Type: UNKNOWN READ Crash Address: 0x000000000010 Crash State: blink::FlatTreeTraversal::TraverseChild blink::FlatTreeTraversal::ChildAt blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversa Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=454233:454289 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=467672:467685 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5001552394977280 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 28 2017
Mark Fixed according to #c5 and #c6 |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by msrchandra@chromium.org
, Apr 10 2017Components: Blink>Editing
Labels: Test-Predator-Correct-CLs M-59
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)