New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 835020 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Null-dereference READ in blink::ComputeInlineBoxPositionForInlineAdjustedPosition

Project Member Reported by ClusterFuzz, Apr 19 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=6421448177221632

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::ComputeInlineBoxPositionForInlineAdjustedPosition
  blink::LocalCaretRectOfPosition
  blink::RendersInDifferentPosition
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=551406:551411

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6421448177221632

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Cc: brajkumar@chromium.org
Components: Blink>Editing
Labels: -Type-Bug M-68 Test-Predator-Wrong Type-Bug-Regression
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)
Predator could not provide any possible suspects.

From the below CL observing some changes related to 'inline_box_position.cc' , hence suspecting the same
https://chromium.googlesource.com/chromium/src/+log/d526111ea8b0da1e0666c93888490780d26f9135..1b2a62dedbd3a80c50d9075b901fa35ac1a23826?pretty=fuller&n=10000

Suspect CL: https://chromium.googlesource.com/chromium/src/+/614797964fd241c101fa60be39803c525eca6033

xiaochengh@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

Cc: kojii@chromium.org
kojii@: We got a RootInlineBox with null FirstLeafChild(). Is that an expected case?

Anyway, the test case hits a DCHECK earlier than the null deref:

[1:1:0420/124710.336625:FATAL:composite_edit_command.cc(291)] Check failed: GetDocument().body() != ref_child (BODY (editable) vs. BODY (editable))
#0 0x000003478d9c base::debug::StackTrace::StackTrace()
#1 0x0000034986ab logging::LogMessage::~LogMessage()
#2 0x0000052b1f76 blink::CompositeEditCommand::InsertNodeBefore()
#3 0x0000052b27e6 blink::CompositeEditCommand::InsertNodeAt()
#4 0x0000052b6b06 blink::CompositeEditCommand::MoveParagraphContentsToNewBlockIfNecessary()
#5 0x0000052bf795 blink::ApplyStyleCommand::ApplyBlockStyle()
#6 0x0000052bf0f5 blink::ApplyStyleCommand::DoApply()
#7 0x0000052b1503 blink::CompositeEditCommand::ApplyCommandToComposite()
#8 0x0000052e0663 blink::InsertLineBreakCommand::DoApply()
#9 0x0000052b1503 blink::CompositeEditCommand::ApplyCommandToComposite()
#10 0x0000052de21a blink::InsertParagraphSeparatorCommand::DoApply()
#11 0x0000052b1503 blink::CompositeEditCommand::ApplyCommandToComposite()
#12 0x0000052f9626 blink::TypingCommand::InsertParagraphSeparator()
#13 0x0000052f9870 blink::TypingCommand::DoApply()
#14 0x0000052b13d9 blink::CompositeEditCommand::Apply()
#15 0x0000052f954b blink::TypingCommand::InsertParagraphSeparator()
#16 0x0000052d96a8 blink::InsertCommands::ExecuteInsertParagraph()
#17 0x0000052aae6e blink::EditorCommand::Execute()
#18 0x0000052a671b blink::Document::execCommand()
#19 0x000004b7ffff blink::V8Document::execCommandMethodCallback()
#20 0x0000020615b3 v8::internal::FunctionCallbackArguments::Call()
#21 0x00000205f8bc v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#22 0x00000205d928 v8::internal::Builtin_Impl_HandleApiCall()
#23 0x00000205d36d v8::internal::Builtin_HandleApiCall()

Project Member

Comment 3 by bugdroid1@chromium.org, Apr 23 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4514a42fdf6ed7ac5c94859c4f47f9f9ad18dcef

commit 4514a42fdf6ed7ac5c94859c4f47f9f9ad18dcef
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Mon Apr 23 02:22:16 2018

Abort editing command when attempting to insert node before body

ClusterFuzz found cases where an editing command attempts to insert node
before document.body, which breaks document HTML and many assumptions.

This patch makes the command abort in such cases.

Bug:  835020 
Change-Id: Ifd0091fd3a25f3ba2dca45afe2598d8083b7d124
Reviewed-on: https://chromium-review.googlesource.com/1022736
Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#552620}
[modify] https://crrev.com/4514a42fdf6ed7ac5c94859c4f47f9f9ad18dcef/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc
[modify] https://crrev.com/4514a42fdf6ed7ac5c94859c4f47f9f9ad18dcef/third_party/blink/renderer/core/editing/commands/insert_paragraph_separator_command_test.cc

Project Member

Comment 4 by ClusterFuzz, Apr 23 2018

ClusterFuzz has detected this issue as fixed in range 552619:552620.

Detailed report: https://clusterfuzz.com/testcase?key=6421448177221632

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::ComputeInlineBoxPositionForInlineAdjustedPosition
  blink::LocalCaretRectOfPosition
  blink::RendersInDifferentPosition
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=551406:551411
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=552619:552620

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6421448177221632

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 5 by ClusterFuzz, Apr 23 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Assigned)
ClusterFuzz testcase 6421448177221632 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment