112280 2013-03-13 12:59:28 -0700 ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::CompositeEditCommand::insertNodeAt 2013-03-13 14:40:35 -0700 1 1 1 Unclassified WebKit HTML Editing 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 inferno inferno enrica mifenton rniwa webkit.review.bot oldest_to_newest 854512 0 inferno 2013-03-13 12:59:28 -0700 Fuzzer: Bj_doc_fuzzer Crash Type: UNKNOWN Crash Address: 0x0000977537dd Crash State: - crash stack - WebCore::CompositeEditCommand::insertNodeAt WebCore::ReplaceSelectionCommand::doApply WebCore::CompositeEditCommand::apply Testcase:: <script> var af = [], i = 0; function main(){af[i++ % af.length]()} af.push(function (){ document.designMode="on";document.execCommand("SelectAll"); document.execCommand("JustifyFull"); try{document.documentElement.textContent = "(((@"}catch(e){console.log(e)}; }) af.push(function (){ document.execCommand("InsertImage", false); }) document.addEventListener("DOMNodeInsertedIntoDocument",main,true); window.onload=main; </script> +----------------------------------------Release Build Stacktrace----------------------------------------+ /mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/release/asan-symbolized-linux-release-187589/DumpRenderTree Xlib: extension "RANDR" missing on display ":1". ASSERTION FAILED: !node || node->isElementNode() third_party/WebKit/Source/WebCore/dom/Element.h(719) : WebCore::Element *WebCore::toElement(WebCore::Node *) 1 0x56b3a8 2 0x201304b 3 0x1abd822 4 0x20110bc 5 0x1a9db5a 6 0x1a9d956 7 0x1a97adb 8 0x1a9528f 9 0x9b5a75 10 0x2807172 11 0x7f99e09468af ASAN:SIGSEGV ================================================================= ==3881== ERROR: AddressSanitizer: SEGV on unknown address 0x0000977537dd (pc 0x00000056b3b2 sp 0x7fffe9f0c640 bp 0x7fffe9f0c650 T0) AddressSanitizer can not provide additional info. #0 0x56b3b1 in WebCore::toElement(WebCore::Node*) third_party/WebKit/Source/WebCore/dom/Element.h:719 #1 0x201304a in WebCore::CompositeEditCommand::insertNodeAt(WTF::PassRefPtr<WebCore::Node>, WebCore::Position const&) third_party/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:367 #2 0x1abd821 in WebCore::ReplaceSelectionCommand::doApply() third_party/WebKit/Source/WebCore/editing/ReplaceSelectionCommand.cpp:1081 #3 0x20110bb in WebCore::CompositeEditCommand::apply() third_party/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:214 #4 0x1a9db59 in WebCore::executeInsertFragment(WebCore::Frame*, WTF::PassRefPtr<WebCore::DocumentFragment>) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:196 #5 0x1a9d955 in WebCore::executeInsertNode(WebCore::Frame*, WTF::PassRefPtr<WebCore::Node>) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:207 #6 0x1a97ada in WebCore::executeInsertImage(WebCore::Frame*, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:508 #7 0x1a9528e in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:1700 #8 0x9b5a74 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) third_party/WebKit/Source/WebCore/dom/Document.cpp:4174 #9 0x2807171 in WebCore::DocumentV8Internal::execCommandMethod(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8Document.cpp:2359 #10 0x7f99e09468ae in ==3881== ABORTING Ryosuke, this looks to need changing from toElement to toContainerNode(). Don't know if the toContainerNode() on a Node* would be safe as well ? 854514 1 inferno 2013-03-13 12:59:38 -0700 http://code.google.com/p/chromium/issues/detail?id=189086 854521 2 rniwa 2013-03-13 13:02:22 -0700 This is not a security bug. We just need to use toContainerNode instead. 854528 3 192976 inferno 2013-03-13 13:09:24 -0700 Created attachment 192976 Patch 854651 4 192976 webkit.review.bot 2013-03-13 14:40:32 -0700 Comment on attachment 192976 Patch Clearing flags on attachment: 192976 Committed r145754: <http://trac.webkit.org/changeset/145754> 854652 5 webkit.review.bot 2013-03-13 14:40:35 -0700 All reviewed patches have been landed. Closing bug. 192976 2013-03-13 13:09:24 -0700 2013-03-13 14:40:32 -0700 Patch bug-112280-20130313130522.patch text/plain 1614 inferno U3VidmVyc2lvbiBSZXZpc2lvbjogMTQ1NzQwCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZDY5MzljNDViYjY3NTBj ZGM5MzdlZTg3MzMxMTIwNGIwZTQ0NWU2OC4uNzAwZTdhYWYxYmJkNGRhNzNjMGZiOWY2MDk0MDk2 YTc3MzEyNjM2MiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE0IEBACisyMDEzLTAzLTEzICBBYmhp c2hlayBBcnlhICA8aW5mZXJub0BjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgQ3Jhc2ggaW4gQ29t cG9zaXRlRWRpdENvbW1hbmQ6Omluc2VydE5vZGVBdC4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTExMjI4MAorCisgICAgICAgIFJldmlld2VkIGJ5IE5P Qk9EWSAoT09QUyEpLgorCisgICAgICAgICogZWRpdGluZy9Db21wb3NpdGVFZGl0Q29tbWFuZC5j cHA6CisgICAgICAgIChXZWJDb3JlOjpDb21wb3NpdGVFZGl0Q29tbWFuZDo6aW5zZXJ0Tm9kZUF0 KTogRml4IGluY29ycmVjdCBjYXN0IHVzZSBvZiB0b0VsZW1lbnQuCisgICAgICAgIFN1YnNpdHV0 ZSB3aXRoIHRvQ29udGFpbmVyTm9kZS4KKwogMjAxMy0wMy0xMyAgVG9ueSBDaGFuZyAgPHRvbnlA Y2hyb21pdW0ub3JnPgogCiAgICAgICAgIFJlZ3Jlc3Npb24ocjE0MzU0Mik6IC13ZWJraXQtYWxp Z24taXRlbXM6IGNlbnRlciB3aXRoIG92ZXJmbG93OiBhdXRvL3Njcm9sbCBoYXMgZXh0cmEgYm90 dG9tIHBhZGRpbmcKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2VkaXRpbmcvQ29tcG9zaXRl RWRpdENvbW1hbmQuY3BwIGIvU291cmNlL1dlYkNvcmUvZWRpdGluZy9Db21wb3NpdGVFZGl0Q29t bWFuZC5jcHAKaW5kZXggMjVlM2RhOWY0N2Y3YTAwNTQ3MGYwMWRjZjk5NWZiMGMzZTU4OTk1MC4u MDQzNDYzMTdlM2JiODhlMmJhZGQwMTc3Yjk1MmIwN2Y3ODlhMjg1MSAxMDA2NDQKLS0tIGEvU291 cmNlL1dlYkNvcmUvZWRpdGluZy9Db21wb3NpdGVFZGl0Q29tbWFuZC5jcHAKKysrIGIvU291cmNl L1dlYkNvcmUvZWRpdGluZy9Db21wb3NpdGVFZGl0Q29tbWFuZC5jcHAKQEAgLTM2NCw3ICszNjQs NyBAQCB2b2lkIENvbXBvc2l0ZUVkaXRDb21tYW5kOjppbnNlcnROb2RlQXQoUGFzc1JlZlB0cjxO b2RlPiBpbnNlcnRDaGlsZCwgY29uc3QgUG9zaQogICAgICAgICBpZiAoY2hpbGQpCiAgICAgICAg ICAgICBpbnNlcnROb2RlQmVmb3JlKGluc2VydENoaWxkLCBjaGlsZCk7CiAgICAgICAgIGVsc2UK LSAgICAgICAgICAgIGFwcGVuZE5vZGUoaW5zZXJ0Q2hpbGQsIHRvRWxlbWVudChyZWZDaGlsZCkp OworICAgICAgICAgICAgYXBwZW5kTm9kZShpbnNlcnRDaGlsZCwgdG9Db250YWluZXJOb2RlKHJl ZkNoaWxkKSk7CiAgICAgfSBlbHNlIGlmIChjYXJldE1pbk9mZnNldChyZWZDaGlsZCkgPj0gb2Zm c2V0KQogICAgICAgICBpbnNlcnROb2RlQmVmb3JlKGluc2VydENoaWxkLCByZWZDaGlsZCk7CiAg ICAgZWxzZSBpZiAocmVmQ2hpbGQtPmlzVGV4dE5vZGUoKSAmJiBjYXJldE1heE9mZnNldChyZWZD aGlsZCkgPiBvZmZzZXQpIHsK