InsertText command crashes with unusual HTML |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5309152498024448 Fuzzer: bj_broddelwerk Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> > blink::MostBackwardCaretPosition blink::CanonicalPositionOf Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=467954:467967 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5309152498024448 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
,
Jul 11 2017
Predator and CL did not provide any possible suspects. Using Code Search for the file, "PositionIterator.cpp" assigning to the concern owner who might be related. @yosin -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Thank You.
,
Jul 12 2017
,
Jul 12 2017
Lower to Pri-3, since this is caused by unusual HTML. Hit DCHECK(position.IsConnected()) in SelectionTemplate<Strategy>::Builder::Collapse The root cause is TypingCommand::InsertText() attempt to set disconnected selection as below. SINPUT class="CLASS2" S #shadow-root S DIV id="inner-editor" start: beforeAnchor end: offsetInAnchor[2] DOM Tree: #document (editable) * HTML (editable) HEAD (editable) g class="CLASS6" (editable) HEAD (editable) #text "\n" DD (editable) #text "\n" svg (editable) #text "\n" #text "\n" svg (editable) #text "\n" g (editable) #text "\n" svg (editable) #text "\n" use (editable) #shadow-root #text "\n\n" #text "\n" g class="CLASS1" (editable) #text "\n" foreignObject class="CLASS10 CLASS2" (editable) #text "\n\n\n\n\n\n" H3 (editable) #text "\n" #text "\n" TABLE class="CLASS6" (editable) #text "\n" CAPTION class="CLASS4" (editable) #text "\n" g class="CLASS6" (editable)
,
Jul 17 2017
ClusterFuzz has detected this issue as fixed in range 486715:486734. Detailed report: https://clusterfuzz.com/testcase?key=5309152498024448 Fuzzer: bj_broddelwerk Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> > blink::MostBackwardCaretPosition blink::CanonicalPositionOf Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=467954:467967 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=486715:486734 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5309152498024448 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 17 2017
ClusterFuzz has detected this issue as fixed in range 486715:486734. Detailed report: https://clusterfuzz.com/testcase?key=5309152498024448 Fuzzer: bj_broddelwerk Job Type: mac_asan_chrome Platform Id: mac Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> > blink::MostBackwardCaretPosition blink::CanonicalPositionOf Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=467954:467967 Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=486715:486734 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5309152498024448 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 17 2017
ClusterFuzz testcase 5309152498024448 is verified as fixed, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by patricia...@chromium.org
, Jul 11 2017