Crash due to FrameSelection ended up in an invalid state |
||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5768108689326080 Fuzzer: bj_broddelwerk Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Breakpoint Crash Address: 0x08aea880 Crash State: blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=471041:471079 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5768108689326080 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 9 2017
Unable to provide possible suspect using Predator, CL and Code Search. Could someone please look into the issue. Thank You.
,
Oct 9 2017
I'll take a look for IdleSpellCheckCallback
,
Oct 10 2017
This is again due to insufficient sanitization of positions restored from UndoStack.
Minimum repro:
<div contenteditable id=host></div>
<div contenteditable id=other>foo bar baz.</div>
<script>
// Must be long enough so that SimplifiedBackwardsTextIterator is used to compute the checking range
host.innerHTML = 'bla. '.repeat(256);
host.focus();
getSelection().collapse(host, 1);
document.execCommand('insertText', false, 'zz..');
host.firstChild.deleteData(host.firstChild.length - 1, 1);
// Now the undo stack stores an invalid ending selection for the insertTextCommand
// Move selection the other editable, so that spellchecker computes the checking range in the first editable using the selection stored in UndoStack instead of the current selection
other.focus();
// Hit DCHECK when spellchecker is invoked
</script>
,
Oct 12 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0983bb664cb182476d81f806691cbda8ad58e95a commit 0983bb664cb182476d81f806691cbda8ad58e95a Author: Xiaocheng Hu <xiaochengh@chromium.org> Date: Thu Oct 12 01:51:59 2017 Add offset range check in PositionTemplate::IsValidFor() A stored Position can be invalidated when DOM mutations decreases the max offset in its anchor node, making the stored offset invalid. This patch adds the check to declare such positions as invalid, so that we won't be mistakenly using it in, for example, spellchecker. Bug: 772718 Change-Id: I4b520c421adf1a3ff903785cbfb430f3e7751a33 Reviewed-on: https://chromium-review.googlesource.com/707687 Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#508216} [modify] https://crrev.com/0983bb664cb182476d81f806691cbda8ad58e95a/third_party/WebKit/LayoutTests/editing/spelling/spelling-changed-text.html [modify] https://crrev.com/0983bb664cb182476d81f806691cbda8ad58e95a/third_party/WebKit/Source/core/editing/Position.cpp
,
Oct 12 2017
,
Oct 19 2017
ClusterFuzz testcase 5768108689326080 is still reproducing on tip-of-tree build (trunk). Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.
,
Oct 19 2017
Reopen as of #7.
,
Oct 19 2017
There's another crash cause in the repro case that, we ended up with an invalid FrameSelection. It crashes when IdleSpellCheckCallback::HotModeInvocation() is called on that invalid FrameSelection. Re-assign to yosin@, who understands the SelectionEditor, the class maintaining FrameSelection upon DOM changes.
,
Oct 20 2017
>#c9, could you explain about "invalid FrameSelection"? Is IdleSpellCheckCallback::HotModeInvocation() called for detached frame? Or, failed to relocate SelectionInDOMTree in SelectionEditor?
,
Oct 20 2017
#10: IdleSpellCheckCallback can't be called on detached frame, since it's already a DocumentShutdownObserver. I suspect that SelectionEditor failed to relocate SelectionInDOMTree, as when spellchecker was checking GetFrame().Selection().GetSelectionInDOMTree().Extent(), it got a text-anchored position with an out-of-bound offset, and hence, hitting a DCHECK
,
Oct 20 2017
ClusterFuzz has detected this issue as fixed in range 510178:510268. Detailed report: https://clusterfuzz.com/testcase?key=5768108689326080 Fuzzer: bj_broddelwerk Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Breakpoint Crash Address: 0x08aea880 Crash State: blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=471041:471079 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=510178:510268 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5768108689326080 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Oct 20 2017
ClusterFuzz testcase 5768108689326080 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Nov 7 2017
,
Mar 2 2018
|
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by ClusterFuzz
, Oct 8 2017Labels: Test-Predator-AutoComponents