WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
112280
ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::CompositeEditCommand::insertNodeAt
https://bugs.webkit.org/show_bug.cgi?id=112280
Summary
ASSERTION FAILED: !node || node->isElementNode(), UNKNOWN in WebCore::Composi...
Abhishek Arya
Reported
2013-03-13 12:59:28 PDT
Fuzzer: Bj_doc_fuzzer Crash Type: UNKNOWN Crash Address: 0x0000977537dd Crash State: - crash stack - WebCore::CompositeEditCommand::insertNodeAt WebCore::ReplaceSelectionCommand::doApply WebCore::CompositeEditCommand::apply Testcase:: <script> var af = [], i = 0; function main(){af[i++ % af.length]()} af.push(function (){ document.designMode="on";document.execCommand("SelectAll"); document.execCommand("JustifyFull"); try{document.documentElement.textContent = "(((@"}catch(e){console.log(e)}; }) af.push(function (){ document.execCommand("InsertImage", false); }) document.addEventListener("DOMNodeInsertedIntoDocument",main,true); window.onload=main; </script> +----------------------------------------Release Build Stacktrace----------------------------------------+ /mnt/scratch0/clusterfuzz/slave-bot/builds/symbolized/release/asan-symbolized-linux-release-187589/DumpRenderTree Xlib: extension "RANDR" missing on display ":1". ASSERTION FAILED: !node || node->isElementNode() third_party/WebKit/Source/WebCore/dom/Element.h(719) : WebCore::Element *WebCore::toElement(WebCore::Node *) 1 0x56b3a8 2 0x201304b 3 0x1abd822 4 0x20110bc 5 0x1a9db5a 6 0x1a9d956 7 0x1a97adb 8 0x1a9528f 9 0x9b5a75 10 0x2807172 11 0x7f99e09468af ASAN:SIGSEGV ================================================================= ==3881== ERROR: AddressSanitizer: SEGV on unknown address 0x0000977537dd (pc 0x00000056b3b2 sp 0x7fffe9f0c640 bp 0x7fffe9f0c650 T0) AddressSanitizer can not provide additional info. #0 0x56b3b1 in WebCore::toElement(WebCore::Node*) third_party/WebKit/Source/WebCore/dom/Element.h:719 #1 0x201304a in WebCore::CompositeEditCommand::insertNodeAt(WTF::PassRefPtr<WebCore::Node>, WebCore::Position const&) third_party/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:367 #2 0x1abd821 in WebCore::ReplaceSelectionCommand::doApply() third_party/WebKit/Source/WebCore/editing/ReplaceSelectionCommand.cpp:1081 #3 0x20110bb in WebCore::CompositeEditCommand::apply() third_party/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:214 #4 0x1a9db59 in WebCore::executeInsertFragment(WebCore::Frame*, WTF::PassRefPtr<WebCore::DocumentFragment>) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:196 #5 0x1a9d955 in WebCore::executeInsertNode(WebCore::Frame*, WTF::PassRefPtr<WebCore::Node>) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:207 #6 0x1a97ada in WebCore::executeInsertImage(WebCore::Frame*, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:508 #7 0x1a9528e in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const third_party/WebKit/Source/WebCore/editing/EditorCommand.cpp:1700 #8 0x9b5a74 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) third_party/WebKit/Source/WebCore/dom/Document.cpp:4174 #9 0x2807171 in WebCore::DocumentV8Internal::execCommandMethod(v8::Arguments const&) out/Release/obj/gen/webcore/bindings/V8Document.cpp:2359 #10 0x7f99e09468ae in ==3881== ABORTING Ryosuke, this looks to need changing from toElement to toContainerNode(). Don't know if the toContainerNode() on a Node* would be safe as well ?
Attachments
Patch
(1.58 KB, patch)
2013-03-13 13:09 PDT
,
Abhishek Arya
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Abhishek Arya
Comment 1
2013-03-13 12:59:38 PDT
http://code.google.com/p/chromium/issues/detail?id=189086
Ryosuke Niwa
Comment 2
2013-03-13 13:02:22 PDT
This is not a security bug. We just need to use toContainerNode instead.
Abhishek Arya
Comment 3
2013-03-13 13:09:24 PDT
Created
attachment 192976
[details]
Patch
WebKit Review Bot
Comment 4
2013-03-13 14:40:32 PDT
Comment on
attachment 192976
[details]
Patch Clearing flags on attachment: 192976 Committed
r145754
: <
http://trac.webkit.org/changeset/145754
>
WebKit Review Bot
Comment 5
2013-03-13 14:40:35 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug