Suspected CLs	Regression information is not available. The result is the blame information.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0c4732c8c9ac40c7376d589728477185454b39bb
Time: Tue Sep 10 08:17:36 2013
The CL last changed line 1314 of file CompositeEditCommand.cpp, which is stack frame 0.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fea3a369e7be4f4fb07f5c0518b4015612ecc22f
Time: Tue Feb 16 01:26:06 2016
The CL last changed line 386 of file InsertListCommand.cpp, which is stack frame 1.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fea3a369e7be4f4fb07f5c0518b4015612ecc22f
Time: Tue Feb 16 01:26:06 2016
The CL last changed line 313 of file InsertListCommand.cpp, which is stack frame 2.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2df3e5c169263f58f3da42ef4d2b518a362f2df5
Time: Wed Feb 10 05:12:58 2016
The CL last changed line 222 of file InsertListCommand.cpp, which is stack frame 3.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/141f0e9340ec887e341ba89a712c6539205a8292
Time: Tue Feb 09 12:09:23 2016
The CL last changed line 208 of file CompositeEditCommand.cpp, which is stack frame 4.

Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7840a79114afc7071c77cf3b7337570a6fbb156d
Time: Fri Feb 19 04:15:19 2016
The CL last changed line 582 of file EditorCommand.cpp, which is stack frame 5.

Author: tkent@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b32858db78d1145879e6fd12c0e8b67ddd9b750c
Time: Wed Aug 28 02:51:14 2013
The CL last changed line 1785 of file EditorCommand.cpp, which is stack frame 6.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Editing

Route to Editing triage

Lower to Pri-2, since real world usage of InsertOrderedList is low.

It seems computation of start/end paragraph doesn't work well including BODY and IFRAME.

DOM tree at assertion:
*#document	3E4021D0
	HTML	3E402AD8 (editable) (focused)
		HEAD	3E402B10 (editable)
			STYLE	3E402B48 (editable)
				#text	3E402B98 "\n*{-webkit-user-modify:read-write;"
			#text	3E402BC8 "\n"
			IFRAME	3E402CD0 (editable)
				#text	3E402D48 "... text ..."
		HEAD	3E404228 (editable)
		BODY	3E404260 (editable)
			IFRAME	3E404298 (editable)
				#text	3E404310 "... text ..."
		BODY	3E402C68 (editable)
			OL	3E408260 (editable)
				LI	3E4082A8 (editable)
		BODY	3E408180 (editable)
			IFRAME	3E4081B8 (editable)
				#text	3E408230 "... text ..."
		HEAD	3E406CA0 (editable)
		BODY	3E406CD8 (editable)
			IFRAME	3E406D10 (editable)
				#text	3E406D88 "... text ..."
		HEAD	3E4057F8 (editable)
		BODY	3E405830 (editable)
			IFRAME	3E405868 (editable)
				#text	3E4058E0 "... text ..."
<void>

DOM tree before deleteSelection()
*#document	3E4021D0
	HTML	3E402AD8 (editable) (focused)
		HEAD	3E402B10 (editable)
			STYLE	3E402B48 (editable)
				#text	3E402B98 "\n*{-webkit-user-modify:read-write;"
			#text	3E402BC8 "\n"
			IFRAME	3E402CD0 (editable)
				#text	3E402D48 "...text..."
		HEAD	3E404228 (editable)
		BODY	3E404260 (editable)
			IFRAME	3E404298 (editable)
				#text	3E404310 "... text ..."
		BODY	3E402C68 (editable)
			OL	3E408260 (editable)
				LI	3E4082A8 (editable)
					BR	3E4082E0 (editable)
destination 		BR	3E409678 (editable)
			SCRIPT	3E402BF8 (editable)
		HEAD	3E408148 (editable)
		BODY	3E408180 (editable)
			IFRAME	3E4081B8 (editable)
				#text	3E408230 "... text ..."
		HEAD	3E406CA0 (editable)
		BODY	3E406CD8 (editable)
			IFRAME	3E406D10 (editable)
				#text	3E406D88 "...text ..."
		HEAD	3E4057F8 (editable)
		BODY	3E405830 (editable)
			IFRAME	3E405868 (editable)
				#text	3E4058E0 "... text ..."
<void>

ClusterFuzz has detected this issue as fixed in range 389884:390111.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5212159170052096

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  destination.deepEquivalent().inDocument()
  blink::CompositeEditCommand::moveParagraphs
  blink::InsertListCommand::unlistifyParagraph
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=369991:370003
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=389884:390111

Minimized Testcase (1.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96dDwE8-9LC2YlNYKgMU8Fjw5SpqnaBQukenQwz5SgRraxNx-x0JELg7YXBjLx3f2CuN0MyIMqfnMNdl7AUQGcSCzkOEKWQlj9TG8tWU33GRd9-4uPEzDQqGhZ83vu5WNqpf67h48LCS0F7NFUDF40zVM-7ow?testcase_id=5212159170052096

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot