Fuzzer: Bj_doc_fuzzer Crash Type: UNKNOWN Crash Address: 0x0000977537dd Crash State: - crash stack - WebCore::CompositeEditCommand::insertNodeAt WebCore::ReplaceSelectionCommand::doApply WebCore::CompositeEditCommand::apply Testcase:: <script> var af = [], i = 0; function main(){af[i++ % af.length]()} af.push(function (){ document.designMode="on";document.execCommand("SelectAll"); document.execCommand("JustifyFull"); try{document.documentElement.textContent = "(((@"}catch(e){console.log(e)}; }) af.push(function (){ document.execCommand("InsertImage", false); }) document.addEventListener("DOMNodeInsertedIntoDocument",main,true); window.onload=main; </script> +----------------------------------------Release Build Stacktrace----------------------------------------+ /mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/release/asan-symbolized-linux-release-187589/DumpRenderTree Xlib: extension "RANDR" missing on display ":1". ASSERTION FAILED: !node || node->isElementNode() third_party/WebKit/Source/WebCore/dom/Element.h(719) : WebCore::Element *WebCore::toElement(WebCore::Node *) 1 0x56b3a8 2 0x201304b 3 0x1abd822 4 0x20110bc 5 0x1a9db5a 6 0x1a9d956 7 0x1a97adb 8 0x1a9528f 9 0x9b5a75 10 0x2807172 11 0x7f99e09468af ASAN:SIGSEGV ================================================================= ==3881== ERROR: AddressSanitizer: SEGV on unknown address 0x0000977537dd (pc 0x00000056b3b2 sp 0x7fffe9f0c640 bp 0x7fffe9f0c650 T0) AddressSanitizer can not provide additional info. #0 0x56b3b1 in WebCore::toElement(WebCore::Node*) third_party/WebKit/Source/WebCore/dom/Element.h:719 #1 0x201304a in WebCore::CompositeEditCommand::insertNodeAt(WTF::PassRefPtr<WebCore::Node>, WebCore::Position const&) third_party/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:367 #2 0x1abd821 in WebCore::ReplaceSelectionCommand::doApply() third_party/WebKit/Source/WebCore/editing/ReplaceSelectionCommand.cpp:1081 #3 0x20110bb in WebCore::CompositeEditCommand::apply() third_party/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:214 #4 0x1a9db59 in WebCore::executeInsertFragment(WebCore::Frame*, WTF::PassRefPtr<WebCore::DocumentFragment>) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:196 #5 0x1a9d955 in WebCore::executeInsertNode(WebCore::Frame*, WTF::PassRefPtr<WebCore::Node>) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:207 #6 0x1a97ada in WebCore::executeInsertImage(WebCore::Frame*, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:508 #7 0x1a9528e in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:1700 #8 0x9b5a74 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) third_party/WebKit/Source/WebCore/dom/Document.cpp:4174 #9 0x2807171 in WebCore::DocumentV8Internal::execCommandMethod(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8Document.cpp:2359 #10 0x7f99e09468ae in ==3881== ABORTING Ryosuke, this looks to need changing from toElement to toContainerNode(). Don't know if the toContainerNode() on a Node* would be safe as well ?
http://code.google.com/p/chromium/issues/detail?id=189086
This is not a security bug. We just need to use toContainerNode instead.
Created attachment 192976 [details] Patch
Comment on attachment 192976 [details] Patch Clearing flags on attachment: 192976 Committed r145754: <http://trac.webkit.org/changeset/145754>
All reviewed patches have been landed. Closing bug.