Null-dereference READ during FormatBlock command |
|||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6020288274497536 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> > blink::MostBackwardCaretPosition blink::CanonicalPositionOf Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=518240:518474 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6020288274497536 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jan 29 2018
Predator and CL could not provide any possible suspects. Using Code Search for the file, "VisibleUnits.cpp" and observed there was some recent changes for the below file. Suspect CL: https://chromium.googlesource.com/chromium/src/+/e65d6289cd28260dcd05078ffd49ebdd8e8dbf77 xiaochengh@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner. Thanks!
,
Jan 29 2018
The CL doesn't contain any behavioral changes. It's pure code moving. Applying P3/Available due to low real world usage of FormatBlock command. Also removing the regression label because editing command is a big source of crashes due to some fundamental design issue, and crashes there are not regressions in most cases.
,
Feb 7 2018
,
Feb 9 2018
Simplfied case:
<head>
<script>
function start() {
document.designMode='on';
document.execCommand('selectall');
document.execCommand('FormatBlock', false, '<pre>');
}
setTimeout(start);
</script>
</head>
<body>
<input>
<div style="display:inline-block;" contenteditable></div><canvas></body>
,
Feb 13 2018
ClusterFuzz has detected this issue as fixed in range 536251:536255. Detailed report: https://clusterfuzz.com/testcase?key=6020288274497536 Fuzzer: inferno_layout_test_unmodified Job Type: linux_msan_content_shell_drt Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000010 Crash State: blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> > blink::MostBackwardCaretPosition blink::CanonicalPositionOf Sanitizer: memory (MSAN) Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=518240:518474 Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=536251:536255 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6020288274497536 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Feb 13 2018
ClusterFuzz testcase 6020288274497536 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by dtapu...@chromium.org
, Jan 27 2018