Suspected CLs	Regression information is not available. The result is the blame information.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8c53b5655b19a9b80b6edba8b4b9e753210bf071
Time: Thu Oct 24 22:34:54 2013
The CL last changed line 58 of file PlainTextRange.cpp, which is stack frame 0.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8c53b5655b19a9b80b6edba8b4b9e753210bf071
Time: Thu Oct 24 22:34:54 2013
The CL last changed line 181 of file PlainTextRange.cpp, which is stack frame 1.

Author: sigbjornf@opera.com
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b0d73e182c0a4e9b26d3207ab1c0c2871904bc8e
Time: Fri Sep 11 02:09:38 2015
The CL last changed line 401 of file InputMethodController.cpp, which is stack frame 2.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8c53b5655b19a9b80b6edba8b4b9e753210bf071
Time: Thu Oct 24 22:34:54 2013
The CL last changed line 2669 of file WebViewImpl.cpp, which is stack frame 3.

Author: aurimas@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/88dbe32fa858fd280435bd675a15947a6fc97e38
Time: Thu Jun 20 23:31:36 2013
The CL last changed line 1914 of file render_widget.cc, which is stack frame 4.

Author: aurimas@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/88dbe32fa858fd280435bd675a15947a6fc97e38
Time: Thu Jun 20 23:31:36 2013
The CL last changed line 3044 of file render_view_impl.cc, which is stack frame 5.

Author: fsamuel
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/72464894f6e747528eb5d0fafd03542e0ead1af9
Time: Tue Dec 15 06:59:31 2015
The CL last changed line 1605 of file render_widget.cc, which is stack frame 6.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Editing

@yosin: Kindly help us in assigning the above issue to correct owner.

Appreciate your help.

Thank you!

PlainTextRange::PlainTextRange(int start, int end)
    : m_start(start)
    , m_end(end)
{
    ASSERT(start >= 0);
    ASSERT(end >= 0);
    ASSERT(start <= end);

Where |start| = 100, |end| = 2

|start| and |end| come from |PlainTextRange::create()| with
- |scope| = Document node
- |range.start| "hello"@2
- |range.end| wold2d"@3
by |TextIterator::rangeLength()|

m_frame.m_raw->m_selection.m_raw->showTreeForThis()
BODY	000001D05F2E3240
	DIV	000001D05F2E32A8 ID="test" STYLE="display: none;" (focused)
		SPAN	000001D05F2E3480
S			#text	000001D05F2E34E8 "hello"
E		#text	000001D05F2E3538 " wo12d"
	#text	000001D05F2E3310 "\n"
	SCRIPT	000001D05F2E3360
		#text	000001D05F2E33D8 "..script.."
	#text	000001D05F2E3588 "PASS: Replacing 2 characters in endContainer by 2 characters after the end point null but expected 3\n"

The root cause is in |TextIteratorAlgorithm::advance()|:

When |m_node| is neither a shadow host nor a laid-out node, text iterator simply skips |m_node| and its subtree, and directly proceeds to the next sibling of |m_node| (lines 286, 348 and 352).

The bug occurs if both |m_endContainer| and |m_pastEndNode| are also in the skipped subtree, in which case text iterator would erroneously proceed all the way to the end of the document.

ClusterFuzz has detected this issue as fixed in range 404631:404811.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6043894071951360

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  start <= end
  blink::PlainTextRange::PlainTextRange
  blink::PlainTextRange::create
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=404631:404811

Minimized Testcase (0.86 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv943AMylWYdlYBWHwSGNcWQkD-vgR4IWTFBHFMa0fgxsc8CdMskI6yJ9z-WUkYr9eAL2YyG5x7NQzuTs5WMdTpaY0d8qASb7TVaF6fVroos_nLBJZGw80yyJHZiagzVIjXln6eEzzvjpTn5SA9tOCLNEaS70SQ?testcase_id=6043894071951360
<div id="test" contenteditable></div>
<script>
test.focus();
var baseIsFirst = true;
function runSingleTest(actor, isStart, expectedOffset) {
    test.innerHTML = '<span>hello</span> world';
    var selection = window.getSelection();
        selection.setBaseAndExtent(test.firstChild.firstChild, 2, test.lastChild, 3);
    var action = isStart ? actor() : actor();
    var message = null;
    if (expectedOffset == 'undefined') {
    }!selection.rangeCount
            passed = true;
    document.write((passed ? 'PASS: ' : 'FAIL: ') + action + ' ' + message + '\n');
}
function runTestPairs(actor, expectedEndOffset) {
        runSingleTest(actor, false);
}
function runTests() {
    runTestPairs(function( nodeName) { '12';
        return 'Replacing 2 characters in ' + nodeName + ' by 2 characters after the end point'; });
}
runTests();
test.style.display = 'none';
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The test case no longer reproduces due to its flakiness, but the root cause is still there.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot