New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 772449 link

Starred by 2 users
Status: Verified
Owner: ----
Closed: Dec 2017
Cc:
pnangunoori@chromium.org
msrchandra@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

FormatBlock crashes with unusual HTML containing SVG

Project Member Reported by ClusterFuzz, Oct 6 2017 
Detailed report: https://clusterfuzz.com/testcase?key=4831739850784768

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  GetFlag
  isConnected
  blink::Node::IsDescendantOf
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=297214:297254

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4831739850784768

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Oct 6 2017

Components: Blink>DOM
Labels: Test-Predator-AutoComponents
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by pnangunoori@chromium.org, Oct 9 2017

Cc: msrchandra@chromium.org pnangunoori@chromium.org
Labels: M-62 Test-Predator-Wrong CF-NeedsTriage
Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.
Thank You.

Comment 3 by kochi@chromium.org, Oct 10 2017

Cc: kochi@chromium.org
Components: -Blink>DOM Blink>Editing
Status: Available (was: Untriaged)
With debug build and the minimized test case from clustefuzz,
I got the following backtrace:

[1:1:1010/173441.749787:710971728942:FATAL:EditingUtilities.cpp(291)] Check failed: a.IsNotNull(). 
#0 0x7fe639659dbd base::debug::StackTrace::StackTrace()
#1 0x7fe6396581ec base::debug::StackTrace::StackTrace()
#2 0x7fe6396de8ba logging::LogMessage::~LogMessage()
#3 0x7fe631a298f3 blink::ComparePositions()
#4 0x7fe631ada6af blink::CompositeEditCommand::MoveParagraphWithClones()
#5 0x7fe631af5403 blink::FormatBlockCommand::FormatRange()
#6 0x7fe631abebca blink::ApplyBlockElementCommand::FormatSelection()
#7 0x7fe631af4cf8 blink::FormatBlockCommand::FormatSelection()
#8 0x7fe631abe315 blink::ApplyBlockElementCommand::DoApply()
#9 0x7fe631ad2c6d blink::CompositeEditCommand::Apply()
#10 0x7fe631aed623 blink::ExecuteFormatBlock()
#11 0x7fe631aead59 blink::Editor::Command::Execute()
#12 0x7fe631ae9223 blink::Document::execCommand()
#13 0x7fe632a60f36 blink::DocumentV8Internal::execCommandMethod()
#14 0x7fe632a60417 blink::V8Document::execCommandMethodCallback()
#15 0x7fe6338a22f2 v8::internal::FunctionCallbackArguments::Call()
#16 0x7fe63399d8f3 v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#17 0x7fe63399bae3 v8::internal::Builtin_Impl_HandleApiCall()
#18 0x7fe63399b4ad v8::internal::Builtin_HandleApiCall()
#19 0x2ff950a047e4 <unknown>

Forwarding to Editing team.

Comment 4 by yosin@chromium.org, Oct 10 2017

Components: -Blink>Editing Blink>Editing>Command
Labels: -Pri-1 Pri-3
Summary: FormatBlock crashes with unusual HTML containing SVG (was: Null-dereference READ in GetFlag)
Lower to Pri-3 since real world usage of "FormatBlock" command is low.

Comment 5 by mbarbe...@chromium.org, Nov 7 2017

Labels: -Test-Predator-AutoComponents Test-Predator-Auto-Components
Project Member

Comment 6 by ClusterFuzz, Nov 7 2017

Labels: Test-Predator-Auto-CC
Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/ae846887d618ba498e64d79de606c8851e62f6da (Add base::Reversed() as an adapter for range-based for loops in reverse by mdempsky@chromium.org)https://chromium.googlesource.com/chromium/src/+/767ea6b133ce5e1818ac6f41c6210ba073a686b4 (Cleanup. by pkasting@chromium.org)https://chromium.googlesource.com/chromium/src/+/a772c842fc3107346666ba7884e2d062fa6a5537 (cc:: Remove main_frame_before_draw_enabled from scheduler settings. by orglofch@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 7 by ClusterFuzz, Nov 8 2017 

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/ae846887d618ba498e64d79de606c8851e62f6da (Add base::Reversed() as an adapter for range-based for loops in reverse by mdempsky@chromium.org)https://chromium.googlesource.com/chromium/src/+/767ea6b133ce5e1818ac6f41c6210ba073a686b4 (Cleanup. by pkasting@chromium.org)https://chromium.googlesource.com/chromium/src/+/a772c842fc3107346666ba7884e2d062fa6a5537 (cc:: Remove main_frame_before_draw_enabled from scheduler settings. by orglofch@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 8 by ClusterFuzz, Nov 8 2017 

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/ae846887d618ba498e64d79de606c8851e62f6da (Add base::Reversed() as an adapter for range-based for loops in reverse by mdempsky@chromium.org)https://chromium.googlesource.com/chromium/src/+/767ea6b133ce5e1818ac6f41c6210ba073a686b4 (Cleanup. by pkasting@chromium.org)https://chromium.googlesource.com/chromium/src/+/a772c842fc3107346666ba7884e2d062fa6a5537 (cc:: Remove main_frame_before_draw_enabled from scheduler settings. by orglofch@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 9 by ClusterFuzz, Nov 8 2017 

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/ae846887d618ba498e64d79de606c8851e62f6da (Add base::Reversed() as an adapter for range-based for loops in reverse by mdempsky@chromium.org)https://chromium.googlesource.com/chromium/src/+/767ea6b133ce5e1818ac6f41c6210ba073a686b4 (Cleanup. by pkasting@chromium.org)https://chromium.googlesource.com/chromium/src/+/a772c842fc3107346666ba7884e2d062fa6a5537 (cc:: Remove main_frame_before_draw_enabled from scheduler settings. by orglofch@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 10 by ClusterFuzz, Nov 8 2017 

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/ae846887d618ba498e64d79de606c8851e62f6da (Add base::Reversed() as an adapter for range-based for loops in reverse by mdempsky@chromium.org)https://chromium.googlesource.com/chromium/src/+/767ea6b133ce5e1818ac6f41c6210ba073a686b4 (Cleanup. by pkasting@chromium.org)https://chromium.googlesource.com/chromium/src/+/a772c842fc3107346666ba7884e2d062fa6a5537 (cc:: Remove main_frame_before_draw_enabled from scheduler settings. by orglofch@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 11 by ClusterFuzz, Nov 8 2017 

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/ae846887d618ba498e64d79de606c8851e62f6da (Add base::Reversed() as an adapter for range-based for loops in reverse by mdempsky@chromium.org)https://chromium.googlesource.com/chromium/src/+/767ea6b133ce5e1818ac6f41c6210ba073a686b4 (Cleanup. by pkasting@chromium.org)https://chromium.googlesource.com/chromium/src/+/a772c842fc3107346666ba7884e2d062fa6a5537 (cc:: Remove main_frame_before_draw_enabled from scheduler settings. by orglofch@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
Project Member

Comment 12 by ClusterFuzz, Nov 8 2017 

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/ae846887d618ba498e64d79de606c8851e62f6da (Add base::Reversed() as an adapter for range-based for loops in reverse by mdempsky@chromium.org)https://chromium.googlesource.com/chromium/src/+/767ea6b133ce5e1818ac6f41c6210ba073a686b4 (Cleanup. by pkasting@chromium.org)https://chromium.googlesource.com/chromium/src/+/a772c842fc3107346666ba7884e2d062fa6a5537 (cc:: Remove main_frame_before_draw_enabled from scheduler settings. by orglofch@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Comment 13 by infe...@chromium.org, Nov 8 2017 

Please ignore the Test-Predator-Auto-CC comment spam above, there was a bug in our script that caused it to create same comment multiple times and also didn't add ccs properly.

Comment 14 by kochi@chromium.org, Nov 16 2017

Cc: -kochi@chromium.org
Project Member

Comment 15 by ClusterFuzz, Dec 22 2017 

ClusterFuzz has detected this issue as fixed in range 525936:525937.

Detailed report: https://clusterfuzz.com/testcase?key=4831739850784768

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  GetFlag
  isConnected
  blink::Node::IsDescendantOf
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=297214:297254
Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=525936:525937

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4831739850784768

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 16 by ClusterFuzz, Dec 22 2017

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 4831739850784768 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment