New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 793087 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows
Pri: 3
Type: Bug



Sign in to add a comment

FormatBlock command crashes with unusual CSS and HTML

Project Member Reported by ClusterFuzz, Dec 7 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5707198025170944

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000008
Crash State:
  blink::NodeTraversal::ChildAtTemplate<const
  blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal>
  blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal>
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=471041:471079

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5707198025170944

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 7 2017

Components: Blink>DOM Blink>Editing
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Cc: msrchandra@chromium.org slangley@chromium.org ice...@yandex-team.ru pnangunoori@chromium.org
Labels: M-63 CF-NeedsTriage Test-Predator-Wrong
Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.
Thank You.
CC'd devs for the recent changes done on the suspect files.
Can't access the test case =(
But it seems that PositionIteratorAlgorithm was constructed from Position, that is null (e.g Position::IsNull() == true) and the Node object inside it is null.
ChildAt() function called in ctor of the PositionIteratorAlgorithm [1].
Can't say more without the test case or detailed stack trace.

[1] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/PositionIterator.cpp?q=PositionIteratorAlgorithm&sq=package:chromium&l=60

Comment 5 by kochi@chromium.org, Dec 11 2017

Components: -Blink>DOM
Can editing team confirm and triage this?
If the root problem looks DOM API is doing something impossible and
ended up in nullptr deref, please forward this to DOM.
Components: -Blink>Editing Blink>Editing>Command
Labels: -Pri-1 Pri-3
Status: Available (was: Untriaged)
Lowering to P3 due to low usage of Document.execCommand('FormatBlock')
Summary: FormatBlock command crashes with unusual CSS and HTML (was: Null-dereference READ in blink::NodeTraversal::ChildAtTemplate<const)
A cleaner version of the ClusterFuzz test case:

<style>
.c8:nth-of-type(2n+1) {
  visibility: collapse;
  display: table-cell;
  content: counter(c, ethiopic-halehame-ti-et) attr(id);
  counter-increment: c 65;
}

#el2 {
  position:absolute;
  top:0px;
  left:0px;
}
</style>
<input id=el11><input id=el2 class=c8>
<script>
document.designMode='on';
document.execCommand('selectall');
document.execCommand('FormatBlock', false, 'pre');
</script>
Cc: kkaluri@chromium.org yosin@chromium.org
 Issue 793600  has been merged into this issue.
Thanks for the test case, xiaochengh@!
I'm looking into it.
When running debug build of content_shell for the case, I have the following DCHECK:

FATAL:VisiblePosition.cpp(77)] Check failed: position_with_affinity.IsConnected(). INPUT id="el11"@afterAnchor/TextAffinity::Downstream
0   libbase.dylib                       0x000000011f9cca5e base::debug::StackTrace::StackTrace(unsigned long) + 174
1   libbase.dylib                       0x000000011f9ccaed base::debug::StackTrace::StackTrace(unsigned long) + 29
2   libbase.dylib                       0x000000011f9ccabc base::debug::StackTrace::StackTrace() + 28
3   libbase.dylib                       0x000000011fa7859f logging::LogMessage::~LogMessage() + 479
4   libbase.dylib                       0x000000011fa4fa25 logging::LogMessage::~LogMessage() + 21
5   libblink_core.dylib                 0x000000012cdefa9a blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >::Create(blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&) + 266
6   libblink_core.dylib                 0x000000012cd990e8 blink::CreateVisiblePosition(blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::TextAffinity) + 72
7   libblink_core.dylib                 0x000000012ce7c234 blink::FormatBlockCommand::FormatRange(blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::HTMLElement*&, blink::EditingState*) + 1956
8   libblink_core.dylib                 0x000000012ce0531d blink::ApplyBlockElementCommand::FormatSelection(blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::EditingState*) + 1245
9   libblink_core.dylib                 0x000000012ce7b9a8 blink::FormatBlockCommand::FormatSelection(blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::EditingState*) + 88
10  libblink_core.dylib                 0x000000012ce047d6 blink::ApplyBlockElementCommand::DoApply(blink::EditingState*) + 1478

Also I tried to revert my suspecting commit https://chromium.googlesource.com/chromium/src/+/3292bf38eb80cb87d701ce761dd36584318926ea
For debug build it doesn't help and DHECK is still triggered.
Will make a release build to reproduce crash without dchecks.
It looks like the |position| objects here [1] is not connected (Position::IsConnected() == false).
That's why |AdjustPositionForBackwardIteration<Strategy>(position)| will return a null position and the PositionIteratorAlgorithm can't handle it.

I personally think that my changes like patch [2] are unrelated to the problem, please correct me if I wrong.
As a quick fix we can check for the disconnected position and return from MostBackwardCaretPosition or even earlier. I checked this case and the crash is gone.
Also looks like that we can change PositionIteratorAlgorithm ctor so it will handle null |anchor_node|, maybe with DCHECK() for that.

xiaochengh@, WDYT?

[1] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/VisibleUnits.cpp?q=MostBackwardCaretPosition&sq=package:chromium&l=976
[2]  https://chromium.googlesource.com/chromium/src/+/3292bf38eb80cb87d701ce761dd36584318926ea
Adding some extra null/invalid position check seems fine.

Unless we have a more systematic fix for such issues, but we currently don't.
Project Member

Comment 12 by ClusterFuzz, Dec 15 2017

Labels: OS-Linux
Project Member

Comment 13 by ClusterFuzz, Jan 13 2018

Status: WontFix (was: Available)
ClusterFuzz testcase 5707198025170944 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
Project Member

Comment 14 by ClusterFuzz, Jan 20 2018

Labels: Needs-Feedback
ClusterFuzz testcase 6071858196905984 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.

Sign in to add a comment