Issue metadata
Sign in to add a comment
|
Placeholder inserted by BreakBlockquoteCommand interferes with ::before content |
||||||||||||||||||||||
Issue descriptionDetailed report: https://clusterfuzz.com/testcase?key=5399463389298688 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IsHTMLBRElement(br). #text "\u00A0 \u00A0\u00A0 in replace_selection_command.cc blink::ReplaceSelectionCommand::DoApply blink::CompositeEditCommand::Apply Sanitizer: address (ASAN) Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5399463389298688 Issue filed automatically. See https://github.com/google/clusterfuzz-tools for more information.
,
Jun 27 2018
Minimized repro:
<style>
div::before { content: 'foo' }
</style>
<div contenteditable id="test">
<blockquote type="cite">line 1</blockquote>
</div>
<script>
window.getSelection().collapse(document.getElementById('test').firstChild);
document.execCommand('InsertHTML');
</script>
Note: the linebreak between <div> and <blockquote> is necessary
Crash recap:
1. Since selection is blockquote, in ReplaceSelectionCommand runs BreakBlockQuoteCommand, which adds placeholder <br> before blockquote. DOM tree becomes
<div contenteditable id="test">
<br>
<blockquote type="cite">line 1</blockquote>
</div>
2. With div::before content, the linebreak text node after <div> is incorrectly turned into a non-collapsed (i.e., rendered) whitespace, which is a long-standing existing bug in inline layout (crbug.com/40634).
3. Now that the ending selection is at BR@0, ReplaceSelectionCommand tries to find the inserted placeholder as EndingVisibleSelection().Start().AnchorNode(), which is however at the text node before <br> -- DCHECK hit.
,
Jun 27 2018
Quick fix: abort ReplaceSelectionCommand when it fails to find the placeholder BR. Sane fix: allow BreakBlockquoteCommand to pass the inserted placeholder to its caller. Changed to P2/Available since this seems to be a very rare case. Will revisit later.
,
Jun 27 2018
,
Jul 7
ClusterFuzz has detected this issue as fixed in range 572991:572992. Detailed report: https://clusterfuzz.com/testcase?key=5399463389298688 Fuzzer: mbarbella_js_mutation_layout Job Type: linux_debug_chrome Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: IsHTMLBRElement(br). #text "\u00A0 \u00A0\u00A0 in replace_selection_command.cc blink::ReplaceSelectionCommand::DoApply blink::CompositeEditCommand::Apply Sanitizer: address (ASAN) Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=572991:572992 Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5399463389298688 See https://github.com/google/clusterfuzz-tools for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
,
Jul 7
ClusterFuzz testcase 5399463389298688 is verified as fixed, so closing issue as verified. If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.
,
Jul 9
The NextAction date has arrived: 2018-07-09 |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by kkaluri@chromium.org
, Jun 27 2018Components: Blink>Editing>Command
Labels: M-68 Test-Predator-Wrong
Owner: xiaoche...@chromium.org
Status: Assigned (was: Untriaged)