New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 797520 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Last visit 16 days ago
Closed: Jan 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug



Sign in to add a comment

NEEDS_MINIMIZATION InsertOrderedList command crashes

Project Member Reported by ClusterFuzz, Dec 24 2017

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5650715497463808

Fuzzer: bj_broddelwerk
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  chrome
  blink::Node::IsDescendantOf
  blink::CompositeEditCommand::CloneParagraphUnderNewElement
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=523197:523221

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5650715497463808

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Dec 24 2017

Components: Blink>DOM Blink>Editing
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Dec 24 2017

Labels: Test-Predator-Auto-Owner
Owner: hirosh...@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/bb33dbbbcf6f36daa5d7d116769b72a3c91ed9dc (Remove ScriptStreamer::resource_).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.
Cc: hirosh...@chromium.org
Components: -Blink>Editing -Blink>DOM Blink>Editing>Command
Labels: -Pri-1 Pri-3
Owner: ----
Status: Available (was: Assigned)
Summary: NEEDS_MINIMIZATION InsertOrderedList command crashes (was: Null-dereference READ in chrome)
This is one of the many editing command bugs. Editing team should take it over.

Lowered to P3 due to low usage of InsertOrderedList command.
Owner: tanvir.r...@samsung.com
Project Member

Comment 5 by bugdroid1@chromium.org, Jan 17 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aac97245ee827c2f22b388d25a7c2c45e6543c41

commit aac97245ee827c2f22b388d25a7c2c45e6543c41
Author: tanvir.rizvi <tanvir.rizvi@samsung.com>
Date: Wed Jan 17 04:22:02 2018

Fix for crash with InsertListCommand

InsertListCommand on a list with
collapsed visibility member crashes.
The visible first node position and the last
node position comes as null,
which reaches the DCHECK.
This CL does the safety check to avoid
this scenario.

Bug:  797520 
Change-Id: I1f9a408dd31a69b001c39176da571e3486e471cf
Reviewed-on: https://chromium-review.googlesource.com/868410
Commit-Queue: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#529601}
[modify] https://crrev.com/aac97245ee827c2f22b388d25a7c2c45e6543c41/third_party/WebKit/Source/core/editing/commands/CompositeEditCommand.cpp
[modify] https://crrev.com/aac97245ee827c2f22b388d25a7c2c45e6543c41/third_party/WebKit/Source/core/editing/commands/InsertListCommandTest.cpp

Project Member

Comment 6 by ClusterFuzz, Jan 17 2018

ClusterFuzz has detected this issue as fixed in range 529594:529620.

Detailed report: https://clusterfuzz.com/testcase?key=5650715497463808

Fuzzer: bj_broddelwerk
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  chrome
  blink::Node::IsDescendantOf
  blink::CompositeEditCommand::CloneParagraphUnderNewElement
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=523197:523221
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=529594:529620

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5650715497463808

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 7 by ClusterFuzz, Jan 17 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 5650715497463808 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment