The result is a list of CLs that change the crashed files.

Author: xiaochengh
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0fb56f3c6fa1f13cd17e714217900b73c1b75c3d
Time: Tue Feb 16 14:20:34 2016
Lines 799-806, 811 of file VisibleUnits.cpp which potentially caused crash are changed in this cl (frame #0, "blink::VisiblePositionTemplate > blink::nextBoundary >").
Minimum distance from crash line to modified line: 0. (file: VisibleUnits.cpp, crashed on: 799, modified: 799).

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Editing

yosin, might we know why you removed the owner? I manually reverted the CL mentioned in #1, and it no longer crashes.

We wish to make sure that security bugs (especially high severity) are always be in someone's work queue. If we've assigned/CC'ed the wrong people, it would be appreciated if you could point us to the right direction.

This issue has pretty much the same root cause as cr588548 that, |Selection::deleteFromDocument()| does not work properly with <pseudo:first-letter>. This time it hits another assertion:

ASSERTION FAILED: currentPos.offsetInLeafNode() >= 1
../../third_party/WebKit/Source/core/editing/VisibleUnits.cpp(2551) : PositionTemplate<Strategy> blink::mostBackwardCaretPosition(const PositionTemplate<Strategy> &, blink::EditingBoundaryCrossingRule) [Strategy = blink::EditingAlgorithm<blink::NodeTraversal>]
Received signal 11 SEGV_MAPERR 0000fbadbeef
#0 0x000008415c7e base::debug::StackTrace::StackTrace()
#1 0x0000084157bf base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f0b91317340 <unknown>
#3 0x0000048f87a8 blink::mostBackwardCaretPosition<>()
#4 0x0000048f8122 blink::mostBackwardCaretPosition()
#5 0x0000048edf34 blink::canonicalPosition<>()
#6 0x0000048edd7c blink::canonicalPositionOf()
#7 0x0000048e467c blink::VisiblePositionTemplate<>::create()
#8 0x0000048e44dc blink::createVisiblePosition()
#9 0x0000048e4488 blink::createVisiblePosition()
#10 0x00000489fcba blink::DOMSelection::setBaseAndExtent()
#11 0x0000048a100c blink::DOMSelection::deleteFromDocument()
#12 0x000003d49039 blink::DOMSelectionV8Internal::deleteFromDocumentMethod()
#13 0x000003d45c98 blink::DOMSelectionV8Internal::deleteFromDocumentMethodCallback()

In both cr588548 and this issue, |Selection::deleteFromDocument()| passes some invalid content to |nextBoundary()|. Before the CL mentioned in #1, there was some validation (in an implicit form), so it did not crash. The validation was removed by the CL.

The same validation can be added back as a quick patch to these two issues. The root cause is still there, though.

Sorry for my typo in #5. It hits the same assertion as in cr588548.

Thanks, I'll dupe this into  bug 588548 .

ClusterFuzz has detected this issue as fixed in range 380105:380830.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6263501967851520

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x61d2000c767e
Crash State:
  blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > b
  blink::nextSentencePosition
  blink::SelectionEditor::modifyMovingForward
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=375259:376290
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=380105:380830

Minimized Testcase (1.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96td64TS90LrmvEdR6zKeEug6YR8xMcQP3bg_JySmrlg0YZwp4v72rWJiQbJxLFIyVVpcqUti-zk02nKp1AALfD7RDCkVemyDrEdfBNBcVvM9ZBBxQeSxz9a_P7f5N7BaPFkGEkZHeP3aFfx2VdWAO5eh9r7A

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot