Crash due to SelectionEditor failed to relocate FrameSelection |
|||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4851486122311680 Fuzzer: bj_broddelwerk Job Type: linux_msan_chrome Platform Id: linux Crash Type: Abrt Crash Address: 0x03e900000001 Crash State: blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=518240:518474 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4851486122311680 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 27 2017
Automatically adding ccs based on suspected regression changelists: Sanitize function parameters when calculating InlineBoxPosition for text by xiaochengh@chromium.org - https://chromium.googlesource.com/chromium/src/+/d2d6ee9c44327d3f4518dbc904f8c7d4aa4128af Extract FrameSelection::ComputeAbsoluteBounds method by dgozman@chromium.org - https://chromium.googlesource.com/chromium/src/+/76dd5a9c6f723b56973cc79608f0fe6ce446a956 [RootLayerScrolls] Fix ScrollRectToVisible for iframes by szager@chromium.org - https://chromium.googlesource.com/chromium/src/+/08b0819307cc7d1a973e7d938ff156527519c791 If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Nov 27 2017
This is pretty much the unfixed unhandled crash in issue 772718 . Copying comments from there: "...we ended up with an invalid FrameSelection. It crashes when IdleSpellCheckCallback::HotModeInvocation() is called on that invalid FrameSelection." "IdleSpellCheckCallback can't be called on detached frame, since it's already a DocumentShutdownObserver. I suspect that SelectionEditor failed to relocate SelectionInDOMTree, as when spellchecker was checking GetFrame().Selection().GetSelectionInDOMTree().Extent(), it got a text-anchored position with an out-of-bound offset, and hence, hitting a DCHECK" Assigned to yosin@ who understands SelectionEditor
,
Dec 6 2017
Mark Available since I don't have enough time to work this.
,
Dec 6 2017
Lower to Pri-3 since this is caused by unusual HTML.
,
Feb 23 2018
ClusterFuzz has detected this issue as fixed in range 538633:538636. Detailed report: https://clusterfuzz.com/testcase?key=4851486122311680 Fuzzer: bj_broddelwerk Job Type: linux_msan_chrome Platform Id: linux Crash Type: Abrt Crash Address: 0x03e900000001 Crash State: blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=518240:518474 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=538633:538636 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4851486122311680 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 23 2018
ClusterFuzz testcase 4851486122311680 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Mar 2 2018
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by ClusterFuzz
, Nov 27 2017Labels: Test-Predator-Auto-Components