New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 733160 link

Starred by 3 users
Status: WontFix
Owner: ----
Closed: Sep 6
Cc:
ifratric@google.com
msrchandra@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

JustifyLeft command crashes with unusual HTML

Project Member Reported by ClusterFuzz, Jun 14 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4801527714938880

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000000
Crash State:
  blink::CreateMarkupAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal>
  blink::CreateMarkup
  blink::CompositeEditCommand::MoveParagraphs
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4801527714938880


Issue filed automatically.

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Comment 1 by sandeepkumars@chromium.org, Jul 13 2017

Cc: msrchandra@chromium.org
Components: Blink
Labels: M-61 Test-Predator-Correct-CLs
Owner: lukasza@chromium.org
Status: Assigned (was: Untriaged)
The result is a list of CLs that change the crashed files. 

Author: lukasza
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/88f78352fa3d325662153e2a1e50f46cccce1303
Time: Thu Apr 13 02:31:35 2017
Lines 296 of file Serialization.cpp which potentially caused crash are changed in this cl (frame #3, "blink::CreateMarkup").
Minimum distance from crash line to modified line: 0. (file: Serialization.cpp, crashed on: 296, modified: 296).

@lukasza: Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Comment 2 by dtapu...@chromium.org, Jul 13 2017

Components: -Blink Blink>Editing

Comment 3 by lukasza@chromium.org, Jul 20 2017

Components: -Blink>Editing Blink>Editing>Serialization
Labels: -Test-Predator-Correct-CLs Test-Predator-Wrong
Summary: CHECK / RELEASE_ASSERT: |start_position| is *after* |end_position| in blink::CreateMarkupAlgorithm (was: Null-dereference READ in blink::CreateMarkupAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal>)
eae@ - could you PTAL (since the failing CHECK has been touched by your r370551 and is possibly related to  issue 570255 ).  FWIW, my CL (the one from #c1) was only changing some names in the code / wasn't changing code behavior - I think it is highly unlikely that my CL is the culprit.

Comment 4 by lukasza@chromium.org, Jul 20 2017

Owner: e...@chromium.org
Really assigning to eae@ this time...

Comment 5 by yosin@chromium.org, Jul 31 2017

Components: -Blink>Editing>Serialization Blink>Editing>Command
Labels: -Pri-1 Pri-3
Owner: ----
Status: Available (was: Assigned)
Summary: JustifyLeft command crashes with unusual HTML (was: CHECK / RELEASE_ASSERT: |start_position| is *after* |end_position| in blink::CreateMarkupAlgorithm)
Lower to Pri-3 since real world usage of JustifyLeft command is low.
Project Member

Comment 6 by ClusterFuzz, Oct 1 2017

Components: Blink>Editing
Labels: Test-Predator-AutoComponents
Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 7 by ClusterFuzz, Oct 4 2017

Labels: Test-Predator-AutoOwner
Owner: lukasza@chromium.org
Status: Assigned (was: Available)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/88f78352fa3d325662153e2a1e50f46cccce1303 (Blink Rename follow-up: URLs --big-rename--> _ur_ls --this-fix--> _urls.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Comment 8 by mbarbe...@chromium.org, Oct 4 2017

Owner: ----
Status: Available (was: Assigned)
Sorry for the reassignment. We just enabled this, but we should be ensuring that we don't assign to someone that's already removed themself as owner. Will fix on the ClusterFuzz side.

Comment 9 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components

Comment 10 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoOwner Test-Predator-Auto-Owner
Project Member

Comment 11 by ClusterFuzz, Sep 6

Labels: -Reproducible Unreproducible
ClusterFuzz testcase 4801527714938880 appears to be flaky, updating reproducibility label.
Project Member

Comment 12 by ClusterFuzz, Sep 6

Status: WontFix (was: Available)
ClusterFuzz testcase 4801527714938880 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment