Find it Info for internal purpose:
----------------------------------
Findit could not find any suspected CLs.

Suspected Component: chromium

using codesearch, seeing some changes to visibleunits.cpp in https://chromium.googlesource.com/chromium/src/+/2d13c455a3e8f6c32de90ff83315503eae2c4d6f

xiaochengh@, Could you please check the above issue & help us in finding an owner it its not yours.

The test case also crashes on my Linux machine with the same crash log.

I have no idea what causes this crash. It seems to be an editing bug but none of the CLs in the regressed range is related to editing.

yosin@: could you take a look (as I'm occupied by something else)? Thanks!

Remove legacy label cr-blink

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5201018433830912

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000001f
Crash State:
  blink::computeInlineBoxPositionTemplate<blink::EditingAlgorithm<blink::NodeTrave
  blink::computeInlineBoxPosition
  blink::RenderedPosition::RenderedPosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=380056:380094

Minimized Testcase (1.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95J245MDG-M3PeG-tP3bCf-LuJj9FbUAnvX_idZh5P0BBQBooKKtNjY9i7-WFq8Gfs722T-hKeBaNFqQDFXkkcss9mqQ4i2BK_IoLKoSLBuvqIYK8ZKAL9gAiA65CaD5YHuYVW8IUQetNLAHqzgcryH2skdoQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6233957850415104

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000001f
Crash State:
  blink::computeInlineBoxPositionTemplate<blink::EditingAlgorithm<blink::NodeTrave
  blink::computeInlineBoxPosition
  blink::RenderedPosition::RenderedPosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381899:383055

Minimized Testcase (1.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95QjnWGCTtCuOq-eC6PRuP2TszRtuCDIhgvZ13F9BkG7TcSA6pNAZEwYQjXcSgD1c8UKQkccW9Q-T5U3TEi3WN59gTr9WRdVvEUHPaRgDduVygd2wJW_v9chTILbNfKXBgoE8SRJhuAS-_-wFV2Nexa04etYA

Filer: pucchakayala

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1c6aad352c275e7965fb4f32cebcdf5b261af704

commit 1c6aad352c275e7965fb4f32cebcdf5b261af704
Author: yoichio <yoichio@chromium.org>
Date: Fri May 13 09:02:00 2016

[Editing][Stability] Recanonicalize m_originalbase in FrameSelection

The crash issue 562339 is caused in computeInlineBoxPositionTemplate  called in the
 RenderPosition constructor.
The root issue is FrameSelection::setNonDirectionalSelectionIfNeededAlgorithm
 uses m_originalBase as up-to-date.
m_originBase is used only in the function.
However, there can be layout by next call.
Thus this CL recanonicalizes m_originalBase.

BUG=562339, 593592 

Review-Url: https://codereview.chromium.org/1793093006
Cr-Commit-Position: refs/heads/master@{#393483}

[add] https://crrev.com/1c6aad352c275e7965fb4f32cebcdf5b261af704/third_party/WebKit/LayoutTests/editing/selection/mouse/drag_selection_update_crash.html
[modify] https://crrev.com/1c6aad352c275e7965fb4f32cebcdf5b261af704/third_party/WebKit/Source/core/editing/FrameSelection.cpp
[modify] https://crrev.com/1c6aad352c275e7965fb4f32cebcdf5b261af704/third_party/WebKit/Source/core/editing/FrameSelection.h
[modify] https://crrev.com/1c6aad352c275e7965fb4f32cebcdf5b261af704/third_party/WebKit/Source/core/editing/VisibleUnits.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7418382eca49a0e2b0dd8cc081ce89aa77b3e4e5

commit 7418382eca49a0e2b0dd8cc081ce89aa77b3e4e5
Author: vasilii <vasilii@chromium.org>
Date: Fri May 13 12:16:52 2016

Revert of [Editing][Stability] Recanonicalize m_originalbase in FrameSelection (patchset #5 id:120001 of https://codereview.chromium.org/1793093006/ )

Reason for revert:
Causes unexpected leak reliably https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20Leak/builds/19495/steps/webkit_tests/logs/stdio

02:43:31.446 20471 worker/6 editing/selection/mouse/drag_selection_update_crash.html leaked
02:43:31.447 20404 [15652/40740] editing/selection/mouse/drag_selection_update_crash.html failed unexpectedly (leak detected: ({"numberOfLiveActiveDOMObjects":[2,4],"numberOfLiveDocuments":[1,2],"numberOfLiveNodes":[4,18],"numberOfLiveResources":[0,2]}))
02:43:31.446 20471 worker/6 editing/selection/mouse/drag_selection_update_crash.html failed:
02:43:31.446 20471 worker/6  leak detected: ({"numberOfLiveActiveDOMObjects":[2,4],"numberOfLiveDocuments":[1,2],"numberOfLiveNodes":[4,18],"numberOfLiveResources":[0,2]})

Original issue's description:
> [Editing][Stability] Recanonicalize m_originalbase in FrameSelection
>
> The crash issue 562339 is caused in computeInlineBoxPositionTemplate  called in the
>  RenderPosition constructor.
> The root issue is FrameSelection::setNonDirectionalSelectionIfNeededAlgorithm
>  uses m_originalBase as up-to-date.
> m_originBase is used only in the function.
> However, there can be layout by next call.
> Thus this CL recanonicalizes m_originalBase.
>
> BUG=562339, 593592 
>
> Committed: https://crrev.com/1c6aad352c275e7965fb4f32cebcdf5b261af704
> Cr-Commit-Position: refs/heads/master@{#393483}

TBR=yosin@chromium.org,yoichio@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=562339, 593592 

Review-Url: https://codereview.chromium.org/1971393003
Cr-Commit-Position: refs/heads/master@{#393505}

[delete] https://crrev.com/07ee3e9ef076503d92a28fe77d3de9e522edb319/third_party/WebKit/LayoutTests/editing/selection/mouse/drag_selection_update_crash.html
[modify] https://crrev.com/7418382eca49a0e2b0dd8cc081ce89aa77b3e4e5/third_party/WebKit/Source/core/editing/FrameSelection.cpp
[modify] https://crrev.com/7418382eca49a0e2b0dd8cc081ce89aa77b3e4e5/third_party/WebKit/Source/core/editing/FrameSelection.h
[modify] https://crrev.com/7418382eca49a0e2b0dd8cc081ce89aa77b3e4e5/third_party/WebKit/Source/core/editing/VisibleUnits.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9188249cc0a957865cc7aa592f6477b38cbb7f9a

commit 9188249cc0a957865cc7aa592f6477b38cbb7f9a
Author: yoichio <yoichio@chromium.org>
Date: Fri May 20 04:45:15 2016

[Editing][Stability] Recanonicalize m_originalbase in FrameSelection

The crash issue 562339 is caused in computeInlineBoxPositionTemplate  called in the
 RenderPosition constructor.
The root issue is FrameSelection::setNonDirectionalSelectionIfNeededAlgorithm
 uses m_originalBase as up-to-date.
m_originBase is used only in the function.
However, there can be layout by next call.
Thus this CL recanonicalizes m_originalBase.

This CL also fix the issue m_originalBase/inFlatTree are leaked.

BUG=562339,  593592 
TEST=LayoutTests/editing/selection/mouse/drag_selection_update_crash.html

Review-Url: https://codereview.chromium.org/1993163003
Cr-Commit-Position: refs/heads/master@{#395001}

[add] https://crrev.com/9188249cc0a957865cc7aa592f6477b38cbb7f9a/third_party/WebKit/LayoutTests/editing/selection/mouse/drag_selection_update_crash.html
[modify] https://crrev.com/9188249cc0a957865cc7aa592f6477b38cbb7f9a/third_party/WebKit/Source/core/editing/FrameSelection.cpp
[modify] https://crrev.com/9188249cc0a957865cc7aa592f6477b38cbb7f9a/third_party/WebKit/Source/core/editing/FrameSelection.h
[modify] https://crrev.com/9188249cc0a957865cc7aa592f6477b38cbb7f9a/third_party/WebKit/Source/core/editing/VisibleUnits.cpp

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6233957850415104

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000001f
Crash State:
  blink::computeInlineBoxPositionTemplate<blink::EditingAlgorithm<blink::NodeTrave
  blink::computeInlineBoxPosition
  blink::RenderedPosition::RenderedPosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381899:383055

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94s9-KB5ikBAny7Qb_hYqDv1gkI4r5JpI5r1FRpt1jCeJ9Y3I77MUF_LDEJAfQ6PZAA-tXxVqmKLIuDQRWfhxmO8FYPz2U3UP2UlHV57QV6jIfmA8ln8Hhz45GL7-Mg7D31PnfGRgqO4HzUstAFTvoFnAgvpA


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

commit 1c6aad352c275e7965fb4f32cebcdf5b261af704 first fix, landed in 52.0.2736.0
commit 7418382eca49a0e2b0dd8cc081ce89aa77b3e4e5 reverted the first fix, and landed in 52.0.2736.0
commit 9188249cc0a957865cc7aa592f6477b38cbb7f9a relanded the fix and landed in 53.0.2744.0

does this not mean that 9188249cc0a957865cc7aa592f6477b38cbb7f9a should have been merged to M52, which branched in 52.0.2743.0

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot