Abrt in blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::Te |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5949053102981120 Fuzzer: ifratric-browserfuzzer-v3 Job Type: linux_msan_chrome Platform Id: linux Crash Type: Abrt Crash Address: 0x03e900000001 Crash State: blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::Te blink::NextBoundary blink::EndOfSentence Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=518240:518474 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5949053102981120 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Nov 27 2017
Automatically adding ccs based on suspected regression changelists: Sanitize function parameters when calculating InlineBoxPosition for text by xiaochengh@chromium.org - https://chromium.googlesource.com/chromium/src/+/d2d6ee9c44327d3f4518dbc904f8c7d4aa4128af Extract FrameSelection::ComputeAbsoluteBounds method by dgozman@chromium.org - https://chromium.googlesource.com/chromium/src/+/76dd5a9c6f723b56973cc79608f0fe6ce446a956 If this is incorrect, please apply the Test-Predator-Wrong-CLs label.
,
Nov 28 2017
,
Nov 29 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b263ecdddb6137b8e5b9d7c7267da31d1ae91769 commit b263ecdddb6137b8e5b9d7c7267da31d1ae91769 Author: Xiaocheng Hu <xiaochengh@chromium.org> Date: Wed Nov 29 08:47:44 2017 Fix HTMLOutputElement::CanContainRangeEndPoint When an OUTPUT element is in default value mode, its content shouldn't be ignored by editing code. This patch changes CanContainRangeEndPoint to return true when in default value mode to fix it. This fixes a crash when computing NextBoundary: when the input position is at <output> <table>|</table></output>, it used to compute the local variables as: c = pos = TABLE@0 boundary = TABLE start = OUTPUT@1 as ParentAnchoredEquivalent() moves the position out from table search_start = OUTPUT@AfterAnchor as OUTPUT is editing-ignored content search_end = TABLE@AfterChildren which results in a reversed search range. This patch makes OUTPUT not ignored by editing, and hence, changes |search_start| to OUTPUT@1 to stop the crash. Bug: 788661 Change-Id: I1dda52949f2ba384ae937c4f5d42d5c828fc2a57 Reviewed-on: https://chromium-review.googlesource.com/791856 Reviewed-by: Yoichi Osato <yoichio@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Reviewed-by: Koji Ishii <kojii@chromium.org> Commit-Queue: Yoshifumi Inoue <yosin@chromium.org> Cr-Commit-Position: refs/heads/master@{#520049} [modify] https://crrev.com/b263ecdddb6137b8e5b9d7c7267da31d1ae91769/third_party/WebKit/Source/core/editing/VisibleUnits.h [modify] https://crrev.com/b263ecdddb6137b8e5b9d7c7267da31d1ae91769/third_party/WebKit/Source/core/editing/VisibleUnitsTest.cpp [modify] https://crrev.com/b263ecdddb6137b8e5b9d7c7267da31d1ae91769/third_party/WebKit/Source/core/html/forms/HTMLOutputElement.h
,
Nov 29 2017
ClusterFuzz testcase 5949053102981120 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Nov 27 2017Labels: Test-Predator-Auto-Components