New issue
Advanced search Search tips

Issue 837091 link

Starred by 1 user

Issue metadata

Status: Verified
Owner: ----
Closed: May 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 3
Type: Bug

Blocking:
issue 827897
issue 836934



Sign in to add a comment

AdjustSelectionEndToAvoidCrossingEditingBoundaries() should handle SLOT with display:block

Project Member Reported by ClusterFuzz, Apr 26 2018

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=4949985603616768

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000011
Crash State:
  blink::Node::UpdateDistributionInternal
  UpdateDistributionForFlatTreeTraversal
  blink::ComparePositions
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=553489:553490

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4949985603616768

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.
 
Project Member

Comment 1 by ClusterFuzz, Apr 26 2018

Components: Blink>DOM Blink>Editing
Labels: Test-Predator-Auto-Components
Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.
Project Member

Comment 2 by ClusterFuzz, Apr 26 2018

Labels: Test-Predator-Auto-Owner
Owner: hayato@chromium.org
Status: Assigned (was: Untriaged)
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a9452b946b7b853ca56032f073bd7cc00d3a7db2 ([IncrementalShadowDOM] Make some of UpdateDistribuion call RecalcAssignments).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by hayato@chromium.org, Apr 26 2018

Components: -Blink>DOM
Owner: yosin@chromium.org
The CL is unlikey to be related, because changing UpdateDistribution to UpdateDistributionForFlatTreeTraversal is just renaming.

This looks one of editing's issues.

Comment 4 by yosin@chromium.org, Apr 27 2018

Components: -Blink>Editing Blink>DOM>ShadowDOM
Owner: hayato@chromium.org
It seems flat tree is unstable by two animation frames from MARQUEE, which changes
left-top coordinate of child nodes, and requested animation frame, which does
"selectAll".
Components: -Blink>DOM>ShadowDOM Blink>Animation
Owner: ----
Status: Available (was: Assigned)
Owner: flackr@chromium.org
Status: Assigned (was: Available)
Hi flackr, could you take a look and assign it to appropriate person?
Cc: yosin@chromium.org
Components: -Blink>Animation Blink>DOM>ShadowDOM
Owner: futhark@chromium.org
When I bisected this using bisect-builds.py it pointed at https://chromium.googlesource.com/chromium/src/+/822be90274eab3c047fea8cf2d7dd35cd5d0db49 being the first failure, and this still works if I manually disable the SlotInFlatTree feature. If it's an animations bug I apologize but from #4 I got that the flat tree was not correctly handling animation related changes to it? If it is an animations bug can you help explain what has gone wrong?
Components: -Blink>DOM>ShadowDOM Blink>Editing
This has nothing to do with shadow dom distribution update. It crashes there because we pass in a nullptr from the editing code. The general issue is with adjusting a selection where the editability of the start and end points of a selection do not match, and there is a slot involved, most likely due to the slot being display:contents.

It all starts here:

https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/editing/selection_adjuster.cc?q=selection_adjuster.cc&sq=package:chromium&l=741

This is most likely related or the same as issues  827897  and  836934  which I have not been able to figure out what's wrong yet. This issue seems to have a much smaller repro though.

Blocking: 836934
Blocking: 827897
Labels: -Pri-1 Pri-2
Owner: yosin@chromium.org
I've used several days on this, and the blocked bugs, without being able to figure out how the code is supposed to work.

I've made a simplified test (attached). What I've found is that we end up with a null end position in AdjustSelectionEndToAvoidCrossingEditingBoundaries and it seems to be because we are moving between flat tree and dom tree positions.

We are adjusting the end position at "B" here because the start position is not editable (a text node inserted between head and body, not shown here) and the end position is, because editability propagates down the dom tree, not flat tree:

BODY (editable)
	#text "A"
	DIV id="host" (editable)
		#shadow-root(Open)
			STYLE
				#text "slot {display:block}"
			DIV
				SLOT
*		#text "B"
	#text "\n"
	SCRIPT (editable)


display:contents does not seem to be an issue as setting display:block/inline on the slot still makes this code crash. The difference is that the slot is part of the flat tree. Without the slot in the flat tree, the position above the initial one with the "B" as an anchor is DIV as the anchor with offset 0 pointing at the "B". Converting that into a dom position uses the "B" and constructs a DOM position with the parent of "B" as an anchor which is DIV#host. With slots being part of the flat tree, the SLOT becomes and anchor for the "B" in the flat tree position. At some point in the while loop of AdjustSelectionEndToAvoidCrossingEditingBoundaries, we end up stopping with an empty position because the current position is not editable. Note that the position of the SLOT (with the parent DIV as anchor) is not editable.

It seems problematic mix flat and dom tree positions here. Note that we start out in this case with start and end points in the same shadow scope with different editability, but end up moving into the shadow tree where the "B" is slotted where we get lost somehow.

This is about as far as I get, I think.

yosin@ do you have any ideas how to proceed?

Missed the attachment.
crash.html
266 bytes View Download
Components: Blink>Editing>Selection
Status: Started (was: Assigned)
Cc: -yosin@chromium.org
Components: -Blink>Editing
Labels: -Pri-2 Pri-3
Owner: ----
Status: Available (was: Started)
Summary: AdjustSelectionEndToAvoidCrossingEditingBoundaries() should handle SLOT with display:block (was: Null-dereference READ in blink::Node::UpdateDistributionInternal)
Hit NOTREACHED() at selection_adjuster.cc(741)

    const PositionTemplate<Strategy>& end =
        AdjustSelectionEndToAvoidCrossingEditingBoundaries(
            range.EndPosition(), end_root, base_editable_ancestor);
    if (end.IsNull()) {
      // The selection crosses an Editing boundary.  This is a
      // programmer error in the editing code.  Happy debugging!
      NOTREACHED();
      return {};
    }
Project Member

Comment 16 by ClusterFuzz, May 17 2018

ClusterFuzz has detected this issue as fixed in range 559423:559424.

Detailed report: https://clusterfuzz.com/testcase?key=4949985603616768

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000011
Crash State:
  blink::Node::UpdateDistributionInternal
  UpdateDistributionForFlatTreeTraversal
  blink::ComparePositions
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=553489:553490
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=559423:559424

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4949985603616768

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Project Member

Comment 17 by ClusterFuzz, May 17 2018

Labels: ClusterFuzz-Verified
Status: Verified (was: Available)
ClusterFuzz testcase 4949985603616768 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sign in to add a comment