InsertHorizontalRule command crashes with unusual HTML |
||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6005657382944768 Fuzzer: inferno_layout_test_unmodified Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::HasEditableStyle blink::RootEditableElement blink::DeleteSelectionCommand::RemoveRedundantBlocks Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=508795:508862 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6005657382944768 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 4 2017
Predator and CL could not provide any possible suspects. Using the code search for the file, “EditingUtilities.cpp” assigning to concern owner from GIT revision log. Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/3faa815b598a801f6b65a32d8d776411c102766f @yosin -- Assigning this issue to you as are the reviewer and we are unable to assign it to akariasai@, kindly reassign if it has nothing to do with the above changes. Thank You.
,
Dec 6 2017
Lower to Pri-3 since real world usage of InsertHorizontalRule is low. Hit NOTREACHED() with |EndingVisibleSelection.IsNone()| Note: |this.ending_selection_| is also empty This empty selection comes from |destination_selection| which is computed from |destination| == HTML@0 in CompositeEditCommand::MoveParagraphs() # Stack trace ReplaceSelectionCommand::DoApply(blink::EditingState * editing_state) Line 1147 CompositeEditCommand::ApplyCommandToComposite(blink::EditCommand * command, blink::EditingState * editing_state) Line 205 CompositeEditCommand::MoveParagraphs(const blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & start_of_paragraph_to_move, const blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & end_of_paragraph_to_move, const blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & destination, blink::EditingState * editing_state, blink::CompositeEditCommand::ShouldPreserveSelection should_preserve_selection, blink::CompositeEditCommand::ShouldPreserveStyle should_preserve_style, blink::Node * constraining_ancestor) Line 1565 CompositeEditCommand::MoveParagraph(const blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & start_of_paragraph_to_move, const blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & end_of_paragraph_to_move, const blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & destination, blink::EditingState * editing_state, blink::CompositeEditCommand::ShouldPreserveSelection should_preserve_selection, blink::CompositeEditCommand::ShouldPreserveStyle should_preserve_style, blink::Node * constraining_ancestor) Line 1372 DeleteSelectionCommand::MergeParagraphs(blink::EditingState * editing_state) Line 936 DeleteSelectionCommand::DoApply(blink::EditingState * editing_state) Line 1160 CompositeEditCommand::ApplyCommandToComposite(blink::EditCommand * command, blink::EditingState * editing_state) Line 205 CompositeEditCommand::DeleteSelection(blink::EditingState * editing_state, bool smart_delete, bool merge_blocks_after_delete, bool expand_for_special_elements, bool sanitize_markup) Line 618 ReplaceSelectionCommand::InsertParagraphSeparatorIfNeeds(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & selection, const blink::ReplacementFragment & fragment, blink::EditingState * editing_state) Line 1072 ReplaceSelectionCommand::DoApply(blink::EditingState * editing_state) Line 1175 CompositeEditCommand::Apply() Line 154 ExecuteInsertFragment(blink::LocalFrame & frame, blink::DocumentFragment * fragment) Line 386 ExecuteInsertElement(blink::LocalFrame & frame, blink::HTMLElement * content) Line 400 ExecuteInsertHorizontalRule(blink::LocalFrame & frame, blink::Event *, blink::EditorCommandSource, const WTF::String & value) Line 982 Editor::Command::Execute(const WTF::String & parameter, blink::Event * triggering_event) Line 3041 Document::execCommand(const WTF::String & command_name, bool, const WTF::String & value, blink::ExceptionState & exception_state) Line 93 DocumentV8Internal::execCommandMethod(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4109 V8Document::execCommandMethodCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 6964
,
Jan 2 2018
ClusterFuzz has detected this issue as fixed in range 526440:526441. Detailed report: https://clusterfuzz.com/testcase?key=6005657382944768 Fuzzer: inferno_layout_test_unmodified Job Type: linux_ubsan_vptr_chrome Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::HasEditableStyle blink::RootEditableElement blink::DeleteSelectionCommand::RemoveRedundantBlocks Sanitizer: undefined (UBSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=508795:508862 Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=526440:526441 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6005657382944768 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jan 2 2018
ClusterFuzz testcase 6005657382944768 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ClusterFuzz
, Dec 2 2017Labels: Test-Predator-Auto-Components