Verified
Status Update
No update yet.
Comments
24...@project.gserviceaccount.com
Automatically applying components based on crash stacktrace and information from OWNERS files.
If this is incorrect, please apply the hotlistid:4801165.
If this is incorrect, please apply the hotlistid:4801165.
24...@project.gserviceaccount.com
Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e61a3c997dd7d76fdc7fe44b4f20d210bdbd700e (Relax <select> parser rules
This patch makes <select> allow tags besides <option>, <optgroup>, and
<hr>. Previously this was only allowed within a child <button> or
<datalist> tag inside <select>, but based on the feedback in whatwg we
should try to allow this content everywhere:
https://github.com/whatwg/html/issues/10310
This behavior is guarded behind a flag. Since I am planning on shipping
parser changes for <select> before appearance:base-select, I am creating
a new flag for parser changes instead of reusing the existing
StylableSelect flag for appearance:base-select. The new flag is intended
to not only make the parser change, but also update the algorithms which
associate option/optgroup/hr elements with select elements to account
for the newly parsed elements.
If everything goes well, then we will need to change these WPTs which
this patch effectively marks as failing:
html/infrastructure/common-dom-interfaces/collections/htmloptionscollection.html
html/semantics/forms/the-select-element/select-value.html
html/syntax/parsing/
Bug: 1511354
Change-Id: I441f9645a592ac63764fef928e4e5acf3fdec5db
Reviewed-on:https://chromium-review.googlesource.com/c/chromium/src/+/5518837
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Reviewed-by: David Baron <dbaron@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1329137}
).
If this is incorrect, please let us know why and apply the hotlistid:5433122. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
This patch makes <select> allow tags besides <option>, <optgroup>, and
<hr>. Previously this was only allowed within a child <button> or
<datalist> tag inside <select>, but based on the feedback in whatwg we
should try to allow this content everywhere:
This behavior is guarded behind a flag. Since I am planning on shipping
parser changes for <select> before appearance:base-select, I am creating
a new flag for parser changes instead of reusing the existing
StylableSelect flag for appearance:base-select. The new flag is intended
to not only make the parser change, but also update the algorithms which
associate option/optgroup/hr elements with select elements to account
for the newly parsed elements.
If everything goes well, then we will need to change these WPTs which
this patch effectively marks as failing:
html/infrastructure/common-dom-interfaces/collections/htmloptionscollection.html
html/semantics/forms/the-select-element/select-value.html
html/syntax/parsing/
Bug: 1511354
Change-Id: I441f9645a592ac63764fef928e4e5acf3fdec5db
Reviewed-on:
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Reviewed-by: David Baron <dbaron@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1329137}
).
If this is incorrect, please let us know why and apply the hotlistid:5433122. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.
ap...@google.com
Project: chromium/src
Branch: main
Author: Joey Arhar <
Link:
Fix <select> GetListItems crash
Expand for full commit details
Fix <select> GetListItems crash
GetListItems is supposed to track descendant <optgroup> elements, but
the code which invalidates GetListItems was only looking for a parent
<select> element when the <optgroup> is inserted instead of any ancestor
<select>.
Fixed: 396475564
Change-Id: I905cf88542e3a01a77364f11bae023ec2a2a6ba1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6270416
Auto-Submit: Joey Arhar <jarhar@chromium.org>
Reviewed-by: Traian Captan <tcaptan@chromium.org>
Commit-Queue: Traian Captan <tcaptan@chromium.org>
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1420785}
Files:
- M
third_party/blink/renderer/core/html/forms/html_opt_group_element.cc - A
third_party/blink/web_tests/external/wpt/html/semantics/forms/the-select-element/customizable-select/select-listitems-crash.html
Hash: d1a02311e7ee214557c09921bf2b885025c187a7
Date: Fri Feb 14 15:46:31 2025
24...@project.gserviceaccount.com
ClusterFuzz testcase 6336530033344512 is verified as fixed in https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=1420780:1420790
If this is incorrect, please add the hotlistid:5433040 and re-open the issue.
If this is incorrect, please add the hotlistid:5433040 and re-open the issue.
Description
Fuzzer: marty_html_twiddler
Job Type: linux_debug_chrome
Platform Id: linux
Crash Type: CHECK failure
Crash Address:
Crash State:
items == list_items_ in html_select_element.cc
blink::HTMLSelectElement::GetListItems
blink::WebSelectElement::GetListItems
Sanitizer: address (ASAN)
Regressed:
Reproducer Testcase:
Issue filed automatically.
To reproduce this, please build the target in this report and run it against the reproducer testcase. Please use the GN arguments provided at bottom of this report when building the binary.
If you have trouble reproducing, please also export the environment variables listed under "[Environment]" in the crash stacktrace.
If you have any feedback on reproducing test cases, let us know at