InsertHorizontalRule command crashes with unusual HTML |
||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5092110801043456 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_chrome Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000010 Crash State: blink::RootEditableElement blink::DeleteSelectionCommand::RemoveRedundantBlocks blink::DeleteSelectionCommand::DoApply Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5092110801043456 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Oct 27 2017
That change is totally irelevant. Wait for editing team to triage.
,
Oct 27 2017
Using the provided regression range assigning to the possible suspect as per the change made for the file, “DeleteSelectionCommand.cpp” Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/d6ef615a1a2154d3435b9a09afcd8f6cd929f275 @rlanday -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.
,
Oct 27 2017
,
Oct 27 2017
Repros on Mac and Linux (haven't tested other platforms). Bisects to this commit: https://chromium.googlesource.com/chromium/src/+/1c9b66ff417ace5d8cb6b3358389a891b4eb3a3a A column-span:all element should always establish a new formatting context. Note that the test case does use column-span:all, so this kind of makes sense. Before this commit, the test case runs in an infinite loop changing the DOM. After this commit, the test case crashes the renderer. Passing to yosin@ for triage since it's not caused by my change. Probably not high-pri unless it's happening in the wild.
,
Oct 27 2017
The bisect range Clusterfuzz is claiming (464127:464504) is in error, by the way. The crash started before then, in 462865.
,
Oct 30 2017
Lower to Pri-3 because real world usage of InsertHorizontalRule command with
unusual HTML is low.
Style rule:
*:last-of-type: {... -webkit-column-span:all }
is very unusual.
,
Nov 7 2017
Automatically adding ccs based on suspected regression changelists: https://chromium.googlesource.com/chromium/src/+/d6ef615a1a2154d3435b9a09afcd8f6cd929f275 (Improve how DocumentMarkerController updates markers in response to text edits by rlanday@chromium.org)https://chromium.googlesource.com/chromium/src/+/7d8d866c5fbd4b9c5fe0e0ce39a215d8a731dff4 (Rewrite references to "wtf/" to "platform/wtf/" in core/editing. by yutak@chromium.org) If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Nov 8 2017
Automatically adding ccs based on suspected regression changelists: https://chromium.googlesource.com/chromium/src/+/d6ef615a1a2154d3435b9a09afcd8f6cd929f275 (Improve how DocumentMarkerController updates markers in response to text edits by rlanday@chromium.org)https://chromium.googlesource.com/chromium/src/+/7d8d866c5fbd4b9c5fe0e0ce39a215d8a731dff4 (Rewrite references to "wtf/" to "platform/wtf/" in core/editing. by yutak@chromium.org) If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Nov 8 2017
Automatically adding ccs based on suspected regression changelists: https://chromium.googlesource.com/chromium/src/+/d6ef615a1a2154d3435b9a09afcd8f6cd929f275 (Improve how DocumentMarkerController updates markers in response to text edits by rlanday@chromium.org)https://chromium.googlesource.com/chromium/src/+/7d8d866c5fbd4b9c5fe0e0ce39a215d8a731dff4 (Rewrite references to "wtf/" to "platform/wtf/" in core/editing. by yutak@chromium.org) If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Nov 8 2017
Automatically adding ccs based on suspected regression changelists: https://chromium.googlesource.com/chromium/src/+/d6ef615a1a2154d3435b9a09afcd8f6cd929f275 (Improve how DocumentMarkerController updates markers in response to text edits by rlanday@chromium.org)https://chromium.googlesource.com/chromium/src/+/7d8d866c5fbd4b9c5fe0e0ce39a215d8a731dff4 (Rewrite references to "wtf/" to "platform/wtf/" in core/editing. by yutak@chromium.org) If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Nov 8 2017
Automatically adding ccs based on suspected regression changelists: https://chromium.googlesource.com/chromium/src/+/d6ef615a1a2154d3435b9a09afcd8f6cd929f275 (Improve how DocumentMarkerController updates markers in response to text edits by rlanday@chromium.org)https://chromium.googlesource.com/chromium/src/+/7d8d866c5fbd4b9c5fe0e0ce39a215d8a731dff4 (Rewrite references to "wtf/" to "platform/wtf/" in core/editing. by yutak@chromium.org) If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Nov 8 2017
Automatically adding ccs based on suspected regression changelists: https://chromium.googlesource.com/chromium/src/+/d6ef615a1a2154d3435b9a09afcd8f6cd929f275 (Improve how DocumentMarkerController updates markers in response to text edits by rlanday@chromium.org)https://chromium.googlesource.com/chromium/src/+/7d8d866c5fbd4b9c5fe0e0ce39a215d8a731dff4 (Rewrite references to "wtf/" to "platform/wtf/" in core/editing. by yutak@chromium.org) If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Nov 8 2017
Automatically adding ccs based on suspected regression changelists: https://chromium.googlesource.com/chromium/src/+/d6ef615a1a2154d3435b9a09afcd8f6cd929f275 (Improve how DocumentMarkerController updates markers in response to text edits by rlanday@chromium.org)https://chromium.googlesource.com/chromium/src/+/7d8d866c5fbd4b9c5fe0e0ce39a215d8a731dff4 (Rewrite references to "wtf/" to "platform/wtf/" in core/editing. by yutak@chromium.org) If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Nov 8 2017
Please ignore the Test-Predator-Auto-CC comment spam above, there was a bug in our script that caused it to create same comment multiple times and also didn't add ccs properly.
,
Jan 2 2018
ClusterFuzz has detected this issue as fixed in range 526440:526442. Detailed report: https://clusterfuzz.com/testcase?key=5092110801043456 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_chrome Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000010 Crash State: blink::RootEditableElement blink::DeleteSelectionCommand::RemoveRedundantBlocks blink::DeleteSelectionCommand::DoApply Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=464127:464504 Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=526440:526442 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5092110801043456 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 2 2018
ClusterFuzz testcase 5092110801043456 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by pnangunoori@chromium.org
, Oct 27 2017Components: Blink
Labels: M-62 Test-Predator-Wrong
Owner: yutak@chromium.org
Status: Assigned (was: Untriaged)