Issue metadata
Sign in to add a comment
|
Null-dereference READ in blink::ComputeInlineBoxPositionForInlineAdjustedPosition |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=6421448177221632 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::ComputeInlineBoxPositionForInlineAdjustedPosition blink::LocalCaretRectOfPosition blink::RendersInDifferentPosition Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=551406:551411 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6421448177221632 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Apr 20 2018
kojii@: We got a RootInlineBox with null FirstLeafChild(). Is that an expected case? Anyway, the test case hits a DCHECK earlier than the null deref: [1:1:0420/124710.336625:FATAL:composite_edit_command.cc(291)] Check failed: GetDocument().body() != ref_child (BODY (editable) vs. BODY (editable)) #0 0x000003478d9c base::debug::StackTrace::StackTrace() #1 0x0000034986ab logging::LogMessage::~LogMessage() #2 0x0000052b1f76 blink::CompositeEditCommand::InsertNodeBefore() #3 0x0000052b27e6 blink::CompositeEditCommand::InsertNodeAt() #4 0x0000052b6b06 blink::CompositeEditCommand::MoveParagraphContentsToNewBlockIfNecessary() #5 0x0000052bf795 blink::ApplyStyleCommand::ApplyBlockStyle() #6 0x0000052bf0f5 blink::ApplyStyleCommand::DoApply() #7 0x0000052b1503 blink::CompositeEditCommand::ApplyCommandToComposite() #8 0x0000052e0663 blink::InsertLineBreakCommand::DoApply() #9 0x0000052b1503 blink::CompositeEditCommand::ApplyCommandToComposite() #10 0x0000052de21a blink::InsertParagraphSeparatorCommand::DoApply() #11 0x0000052b1503 blink::CompositeEditCommand::ApplyCommandToComposite() #12 0x0000052f9626 blink::TypingCommand::InsertParagraphSeparator() #13 0x0000052f9870 blink::TypingCommand::DoApply() #14 0x0000052b13d9 blink::CompositeEditCommand::Apply() #15 0x0000052f954b blink::TypingCommand::InsertParagraphSeparator() #16 0x0000052d96a8 blink::InsertCommands::ExecuteInsertParagraph() #17 0x0000052aae6e blink::EditorCommand::Execute() #18 0x0000052a671b blink::Document::execCommand() #19 0x000004b7ffff blink::V8Document::execCommandMethodCallback() #20 0x0000020615b3 v8::internal::FunctionCallbackArguments::Call() #21 0x00000205f8bc v8::internal::(anonymous namespace)::HandleApiCallHelper<>() #22 0x00000205d928 v8::internal::Builtin_Impl_HandleApiCall() #23 0x00000205d36d v8::internal::Builtin_HandleApiCall()
,
Apr 23 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/4514a42fdf6ed7ac5c94859c4f47f9f9ad18dcef commit 4514a42fdf6ed7ac5c94859c4f47f9f9ad18dcef Author: Xiaocheng Hu <xiaochengh@chromium.org> Date: Mon Apr 23 02:22:16 2018 Abort editing command when attempting to insert node before body ClusterFuzz found cases where an editing command attempts to insert node before document.body, which breaks document HTML and many assumptions. This patch makes the command abort in such cases. Bug: 835020 Change-Id: Ifd0091fd3a25f3ba2dca45afe2598d8083b7d124 Reviewed-on: https://chromium-review.googlesource.com/1022736 Reviewed-by: Yoichi Osato <yoichio@chromium.org> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org> Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org> Cr-Commit-Position: refs/heads/master@{#552620} [modify] https://crrev.com/4514a42fdf6ed7ac5c94859c4f47f9f9ad18dcef/third_party/blink/renderer/core/editing/commands/composite_edit_command.cc [modify] https://crrev.com/4514a42fdf6ed7ac5c94859c4f47f9f9ad18dcef/third_party/blink/renderer/core/editing/commands/insert_paragraph_separator_command_test.cc
,
Apr 23 2018
ClusterFuzz has detected this issue as fixed in range 552619:552620. Detailed report: https://clusterfuzz.com/testcase?key=6421448177221632 Fuzzer: bj_broddelwerk Job Type: linux_asan_chrome_mp Platform Id: linux Crash Type: Null-dereference READ Crash Address: 0x000000000000 Crash State: blink::ComputeInlineBoxPositionForInlineAdjustedPosition blink::LocalCaretRectOfPosition blink::RendersInDifferentPosition Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=551406:551411 Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=552619:552620 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6421448177221632 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Apr 23 2018
ClusterFuzz testcase 6421448177221632 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by brajkumar@chromium.org
, Apr 20 2018Components: Blink>Editing
Labels: -Type-Bug M-68 Test-Predator-Wrong Type-Bug-Regression
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)