Issue 758761 link

Starred by 1 user

Issue metadata

Status:	Duplicate
Merged:	issue 759364
Owner:	yoichio@chromium.org
Closed:	Aug 2017
Cc:	█ msrchandra@chromium.org editing-dev@chromium.org
Components:	Blink>Editing
EstimatedDays:	----
NextAction:	----
OS:	Linux
Pri:	1
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz Test-Predator-Wrong-CLs M-62 CF-NeedsTriage

LayoutSelection::Commit() causes null-reference

Project Member Reported by ClusterFuzz, Aug 24 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4704336059039744

Fuzzer: bj_broddelwerk
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  GetFlag
  HasRareData
  GetLayoutObject
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=496838:496888

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4704336059039744

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by msrchandra@chromium.org, Aug 29 2017

Cc: msrchandra@chromium.org
Components: Blink>DOM
Labels: Test-Predator-Wrong-CLs M-62 CF-NeedsTriage

Comment 2 by hayato@chromium.org, Aug 29 2017

Components: -Blink>DOM Blink>Editing

It looks related to edition, as per the stack trace.

#0 0x7fa42fc8a9ce in GetFlag third_party/WebKit/Source/core/dom/Node.h
#1 0x7fa42fc8a9ce in HasRareData third_party/WebKit/Source/core/dom/Node.h:932
#2 0x7fa42fc8a9ce in GetLayoutObject third_party/WebKit/Source/core/dom/Node.h:613
#3 0x7fa42fc8a9ce in CalcSelectionRangeAndSetSelectionState third_party/WebKit/Source/core/editing/LayoutSelection.cpp:393

Comment 3 by yosin@chromium.org, Aug 29 2017

Owner: yoichio@chromium.org
Status: Assigned (was: Untriaged)
Summary: LayoutSelection::Commit() causes null-reference (was: Null-dereference READ in GetFlag)

yoichio@, could you take look?

Comment 4 by yoichio@chromium.org, Aug 30 2017

Mergedinto: 759364
Status: Duplicate (was: Assigned)

Project Member

Comment 5 by ClusterFuzz, Sep 10 2017

ClusterFuzz has detected this issue as fixed in range 500805:500806.

Detailed report: https://clusterfuzz.com/testcase?key=4704336059039744

Fuzzer: bj_broddelwerk
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  GetFlag
  HasRareData
  GetLayoutObject
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=496838:496888
Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=500805:500806

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4704336059039744

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

►

Issue 758761 link

Issue metadata

LayoutSelection::Commit() causes null-reference

Issue description

Comment 1 by msrchandra@chromium.org, Aug 29 2017

Comment 1 Deleted

Comment 2 by hayato@chromium.org, Aug 29 2017

Comment 2 Deleted

Comment 3 by yosin@chromium.org, Aug 29 2017

Comment 3 Deleted

Comment 4 by yoichio@chromium.org, Aug 30 2017

Comment 4 Deleted

Comment 5 by ClusterFuzz, Sep 10 2017

Comment 5 Deleted

Sign in to add a comment