New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 831385 link

Starred by 1 user
Status: Verified
Owner: ----
Closed: May 2018
Cc:
brajkumar@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug-Regression



Sign in to add a comment

NOTREACHED in AdjustSelectionToAvoidCrossingEditingBoundaries

Project Member Reported by ClusterFuzz, Apr 10 2018 
Detailed report: https://clusterfuzz.com/testcase?key=4840302003879936

Fuzzer: attekett_dom_fuzzer
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  chrome
  blink::Node::UpdateDistribution
  blink::ComparePositions
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=540771:540773

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4840302003879936

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
Project Member

Comment 1 by ClusterFuzz, Apr 10 2018

Components: Blink>DOM Blink>Editing
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Comment 2 by brajkumar@chromium.org, Apr 12 2018

Cc: brajkumar@chromium.org
Labels: -Type-Bug M-67 Test-Predator-Wrong CF-NeedsTriage Type-Bug-Regression
Unable to find actual suspect through code search and also observing no suspecting CL under regression range, hence adding appropriate label and requesting someone from blink team to look in to this issue.

Thanks!

Comment 3 by xiaoche...@chromium.org, Apr 12 2018

Components: -Blink>Editing -Blink>DOM Blink>Editing>Selection

Comment 4 by xiaoche...@chromium.org, Apr 12 2018

Summary: NOTREACHED in AdjustSelectionToAvoidCrossingEditingBoundaries (was: Null-dereference READ in chrome)
Minimized repro:

<object></object>
<aside></aside>
<object id=test1>35237</object>
<script>
document.designMode = "on"
document.execCommand("selectall");
</script>

Hitting a NOTREACHED at selection_adjuster.cc L741:

732	    // The selection is based in non-editable content.
733	    // FIXME: Non-editable pieces inside editable content should be atomic, in
734	    // the same way that editable pieces in non-editable content are atomic.
735	    const PositionTemplate<Strategy>& end =
736	        AdjustSelectionEndToAvoidCrossingEditingBoundaries(
737	            range.EndPosition(), end_root, base_editable_ancestor);
738	    if (end.IsNull()) {
739	      // The selection crosses an Editing boundary.  This is a
740	      // programmer error in the editing code.  Happy debugging!
741	      NOTREACHED();
742	      return {};
743	    }

Comment 5 by yosin@chromium.org, Apr 18 2018

Labels: -Pri-1 Pri-3

Comment 6 by yosin@chromium.org, Apr 18 2018

Status: Available (was: Untriaged)
Project Member

Comment 7 by ClusterFuzz, May 6 2018 

ClusterFuzz has detected this issue as fixed in range 556325:556327.

Detailed report: https://clusterfuzz.com/testcase?key=4840302003879936

Fuzzer: attekett_dom_fuzzer
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  chrome
  blink::Node::UpdateDistribution
  blink::ComparePositions
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=540771:540773
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=556325:556327

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4840302003879936

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 8 by ClusterFuzz, May 6 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 4840302003879936 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment