New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 833180 link

Starred by 1 user
Status: Duplicate
Merged: issue 832055
Owner:
yosin@chromium.org
Closed: Apr 2018
Cc:
brajkumar@chromium.org
editing-dev@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 3
Type: Bug-Regression



Sign in to add a comment

TextOffsetMapping::ComputeStartPosition() crashes if all elements are multicol

Project Member Reported by ClusterFuzz, Apr 15 2018 
Detailed report: https://clusterfuzz.com/testcase?key=6586459075903488

Fuzzer: inferno_twister
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  start <= end (#text "J\tAwbN"@offsetInAnchor[0] vs. #text "undefined"@offsetInAn
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversal> >
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversal> >
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=550079:550107

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6586459075903488

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Comment 1 by brajkumar@chromium.org, Apr 16 2018

Cc: brajkumar@chromium.org
Components: Blink>Editing
Labels: -Type-Bug M-67 Test-Predator-Wrong Type-Bug-Regression
Owner: yosin@chromium.org
Status: Assigned (was: Untriaged)
Predator could not provide any possible suspects.

CL: https://chromium.googlesource.com/chromium/src/+log/729d804e8f8be6c789a3112a144871baf219b38d..a5d743c7743180244fea004fa19dc6e4a4007611?pretty=fuller&n=10000

From the above CL observing some changes related to 'editing' , hence suspecting the below 
https://chromium.googlesource.com/chromium/src/+/1324be868df000cb2e070199ce2d10cd0c5a2706

yosin@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

Comment 2 by yosin@chromium.org, Apr 17 2018

Labels: -Pri-1 Pri-3
Status: Started (was: Assigned)
Summary: TextOffsetMapping::ComputeStartPosition() crashes if all elements are multicol (was: CHECK failure: start <= end (#text "J\tAwbN"@offsetInAnchor[0] vs. #text "undefined"@offsetInAn)
Lower to Pri-3 because this is caused by unusual HTML:

<style>* {column-width: 300px; content: "XYZ"; animation-name: ijk; }</style>
abc
<script>
const selection = window.getSelection();
selection.collapse(document.body.firstChild, 3);
selection.modify('move', 'forward', 'word');
</script>

Layout Tree:
layer at (0,0) size 800x600
  LayoutView at (0,0) size 800x600
layer at (0,0) size 800x600
  LayoutBlockFlow {HTML} at (0,0) size 800x600
    LayoutMultiColumnSet (anonymous) at (0,0) size 800x28
layer at (0,0) size 392x36 backgroundClip at (0,0) size 400x28 clip at (0,0) size 400x28
  LayoutMultiColumnFlowThread (anonymous) at (0,0) size 392x36
layer at (8,8) size 376x20
  LayoutBlockFlow {BODY} at (8,8) size 376x20
    LayoutMultiColumnSet (anonymous) at (0,0) size 376x20
layer at (8,8) size 376x20
  LayoutMultiColumnFlowThread (anonymous) at (0,0) size 376x20
    LayoutText {#text} at (0,0) size 22x19
      text run at (0,0) width 22: "abc"

Comment 3 by yosin@chromium.org, Apr 17 2018 

Simpler HTML to reproduce:

<style>* {column-width: 300px; }</style>
abc
<script>
const selection = window.getSelection();
selection.collapse(document.body.firstChild, 3);
selection.modify('move', 'forward', 'word');
</script>
Project Member

Comment 4 by bugdroid1@chromium.org, Apr 17 2018

Labels: merge-merged-3396
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dec40a582a3805fb28dfd67ba49fc2cdb28a1b6c

commit dec40a582a3805fb28dfd67ba49fc2cdb28a1b6c
Author: Yoshifumi Inoue <yosin@chromium.org>
Date: Tue Apr 17 04:30:18 2018

Revert "Make NextWordPosition() to utilize TextOffsetMapping"

This reverts commit 1324be868df000cb2e070199ce2d10cd0c5a2706 for M67/Beta

TextOffsetMapping is not ready for release.
It should support edge cases.

TBR=yosin@chromium.org

Bug:  832055 ,  832061 ,  832101 ,  832261 ,  832350 ,  832497 ,  832639 ,  833172 ,  833180 
Change-Id: Iac5f58716619a626650088a55109922daf1a4f3a
Reviewed-on: https://chromium-review.googlesource.com/1013445
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#36}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[modify] https://crrev.com/dec40a582a3805fb28dfd67ba49fc2cdb28a1b6c/third_party/blink/renderer/core/editing/visible_units_word.cc
[modify] https://crrev.com/dec40a582a3805fb28dfd67ba49fc2cdb28a1b6c/third_party/blink/renderer/core/editing/visible_units_word_test.cc

Comment 5 by yosin@chromium.org, Apr 17 2018

Labels: -M-67 M-68

Comment 6 by yosin@chromium.org, Apr 17 2018

Mergedinto: 832055
Status: Duplicate (was: Started)

Sign in to add a comment