InsertUnorderedListCommand crashes with unusual HTML |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=4990278510575616 Fuzzer: inferno_layout_test_unmodified Job Type: windows_asan_content_shell Platform Id: windows Crash Type: Null-dereference READ Crash Address: 0x00000000 Crash State: blink::TextIteratorAlgorithm<class blink::EditingAlgorithm<class blink::NodeTrav blink::TextIteratorAlgorithm<class blink::EditingAlgorithm<class blink::NodeTrav blink::CompositeEditCommand::MoveParagraphs Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=471041:471079 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4990278510575616 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Dec 13 2017
Lowering to P3 due to unusual HTML and low usage of InsertUnorderedList command.
Cleaner test case:
<style>
* {
visibility:hidden;
}
.CLASS1{
float:left;
visibility:visible;
}
</style>
<dl><textarea class="CLASS1"></textarea></dl>
<script>
function event_handler() {
document.designMode = "on";
document.execCommand("SelectAll")
document.execCommand('InsertUnorderedList');
}
document.addEventListener("DOMNodeRemoved", event_handler);
document.querySelector('style').remove();
</script>
Hits a DCHECK in InsertListCommand.cpp:
[1:1:1212/165150.454341:FATAL:InsertListCommand.cpp(487)] Check failed: next_list_child != list_child_node (TEXTAREA class="CLASS1" (editable) vs. TEXTAREA class="CLASS1" (editable))
#0 0x7fbcb83d8c0d base::debug::StackTrace::StackTrace()
#1 0x7fbcb83d703c base::debug::StackTrace::StackTrace()
#2 0x7fbcb845ebba logging::LogMessage::~LogMessage()
#3 0x7fbcafb00734 blink::InsertListCommand::UnlistifyParagraph()
#4 0x7fbcafb0016b blink::InsertListCommand::DoApplyForSingleParagraph()
#5 0x7fbcafaff4b3 blink::InsertListCommand::DoApply()
#6 0x7fbcafad5dcd blink::CompositeEditCommand::Apply()
#7 0x7fbcafaf1a3e blink::ExecuteInsertUnorderedList()
,
Dec 19 2017
,
Dec 19 2017
,
Dec 26 2017
ClusterFuzz testcase 4990278510575616 is flaky and no longer crashes, so closing issue. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Dec 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ccf8a33bef7c4736b3bfb98e742debf71fd3cfc4 commit ccf8a33bef7c4736b3bfb98e742debf71fd3cfc4 Author: tanvir.rizvi <tanvir.rizvi@samsung.com> Date: Thu Dec 28 07:09:57 2017 Fix for crash when unlistify paragraph Unlistifying paragraph crashes during dom changes with unusual html. Unlistify paragraph tries to adjust the paragraph by removing and adjusting list nodes. if the start of the paragraph and end of paragraph is at the same canonical position, then we should avoid those situations. Bug: 794356 Change-Id: I28a6448879511baba47ccb82df9ef3b0c9b95d83 Reviewed-on: https://chromium-review.googlesource.com/844308 Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com> Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org> Cr-Commit-Position: refs/heads/master@{#526279} [modify] https://crrev.com/ccf8a33bef7c4736b3bfb98e742debf71fd3cfc4/third_party/WebKit/Source/core/editing/commands/InsertListCommand.cpp [modify] https://crrev.com/ccf8a33bef7c4736b3bfb98e742debf71fd3cfc4/third_party/WebKit/Source/core/editing/commands/InsertListCommandTest.cpp |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ClusterFuzz
, Dec 12 2017Labels: Test-Predator-Auto-Components