Issue 883660 link

Starred by 1 user

Issue metadata

Status:	Available
Owner:	----
Cc:	xiaoche...@chromium.org ctzsm@chromium.org yosin@chromium.org editing-dev@chromium.org
Components:	Blink>Editing>Command
EstimatedDays:	----
NextAction:	----
OS:	Linux , Mac
Pri:	3
Type:	Bug
Stability-Crash Reproducible Stability-Memory-AddressSanitizer Clusterfuzz Test-Predator-Auto-Components Test-Predator-Auto-Owner

Null-dereference READ in 'InsertOrderedList' command with unusual HTML

Project Member Reported by ClusterFuzz, Sep 13

Issue description

Detailed report: https://clusterfuzz.com/testcase?key=5695646009655296

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::IsDescendantOf
  blink::SelectionForParagraphIteration
  blink::InsertListCommand::DoApply
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=575972:575977

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5695646009655296

Issue filed automatically.

See https://github.com/google/clusterfuzz-tools for more information.

Project Member

Comment 1 by ClusterFuzz, Sep 13

Components: Blink>DOM Blink>Editing
Labels: Test-Predator-Auto-Components

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Project Member

Comment 2 by ClusterFuzz, Sep 13

Labels: Test-Predator-Auto-Owner
Owner: ctzsm@chromium.org
Status: Assigned (was: Untriaged)

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7bd29404a6ab8d36bdff4123ae522fcd9068344b ([Blink] Avoid crossing editing boundaries selection.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Comment 3 by ctzsm@chromium.org, Sep 13

Cc: yosin@chromium.org ctzsm@chromium.org xiaoche...@chromium.org
Owner: ----
Status: Available (was: Assigned)

From the spec [1], <rtc> should be a child of a <ruby> element, the test case indicates that Blink didn't enforce that; from MDN, Blink doesn't support <rtc> yet, not sure what's the progress in Blink though.

In [2], end_of_selection(new_selection.VisibleEnd()) is null even new_selection.End() is a valid position. See new_selection.ShowTreeForThis() below:

BODY (editable)
S	TABLE (editable)
		#text "\n"
	#text "\n"
	RTC (editable)
		#text "\n"
E		RT
			#text "\n"
			RUBY (editable)
				#text "\n"
			#text "\n"
			RUBY (editable)
start: offsetInAnchor[0]
end: offsetInAnchor[0]

Probably not related to my CL, xiaochengh@, yosin@, could you have a look, thanks!

[1] https://www.w3.org/TR/html52/textlevel-semantics.html#the-rtc-element
[2] https://chromium.googlesource.com/chromium/src/+/bc9185c627f678ff37431b6e9e112f72cabe0f4d/third_party/blink/renderer/core/editing/commands/editing_commands_utilities.cc#447

Comment 4 by xiaoche...@chromium.org, Sep 18

Components: -Blink>Editing -Blink>DOM Blink>Editing>Command
Labels: -Pri-1 Pri-3
Summary: Null-dereference READ in 'InsertOrderedList' command with unusual HTML (was: Null-dereference READ in blink::Node::IsDescendantOf)

P3 due to low usage of InsertOrderedList command and unusual HTML.

Issue 883660 link

Issue metadata

Null-dereference READ in 'InsertOrderedList' command with unusual HTML

Issue description

Comment 1 by ClusterFuzz, Sep 13

Comment 1 Deleted

Comment 2 by ClusterFuzz, Sep 13

Comment 2 Deleted

Comment 3 by ctzsm@chromium.org, Sep 13

Comment 3 Deleted

Comment 4 by xiaoche...@chromium.org, Sep 18

Comment 4 Deleted

Comment 5 by ClusterFuzz, Oct 10

Comment 5 Deleted

Sign in to add a comment