Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: yosin@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/892863b5af02fb4a0384ce810db3a8dd71a5ad09
Time: Wed Apr 15 09:30:26 2015
The CL last changed line 42 of file EditingStrategy.cpp, which is stack frame 0.

Author: hajimehoshi@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8785f6d9655d5d8a5503a3fa75b5ee1fdc8161b5
Time: Fri Apr 03 05:10:15 2015
The CL last changed line 75 of file PositionIterator.cpp, which is stack frame 1.

Author: yoichio@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fdcc2218d0cad104d2c3cd85c7d2875ec782116b
Time: Thu Aug 20 08:21:08 2015
The CL last changed line 2484 of file VisibleUnits.cpp, which is stack frame 2.

Author: hayato
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/5c496adcb1c77856494692e0ea3ca358ba2f0415
Time: Mon Feb 08 07:50:12 2016
The CL last changed line 2494 of file VisibleUnits.cpp, which is stack frame 3.

Author: yosin@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/00d9f74fb98ac403c2067a1b3fc88e64b46a3700
Time: Tue Sep 01 07:07:15 2015
The CL last changed line 111 of file VisibleUnits.cpp, which is stack frame 4.

Author: yosin@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/00d9f74fb98ac403c2067a1b3fc88e64b46a3700
Time: Tue Sep 01 07:07:15 2015
The CL last changed line 168 of file VisibleUnits.cpp, which is stack frame 5.

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/295a06cf79d635079bf750560457a724f6a8e16e
Time: Tue Sep 29 11:16:28 2015
The CL last changed line 65 of file VisiblePosition.cpp, which is stack frame 6.

Suspected Project: chromium-blink
Suspected Component: Blink>Editing

Possible suspect : https://codereview.chromium.org/1085163002

Please re assign if this is not related to your change.

Hit assertion:

comparePositions(Node* containerA, int offsetA, Node* containerB, int offsetB, bool* disconnected)
{
    ASSERT(containerA);
    ASSERT(containerB); // HERE!

|containerB| is |nullptr|

DOM tree at assertion:
m_selection.showTreeForThis()
BODY	000001ED39B43408 (editable) (focused)
	DIV	000001ED39B4A400 STYLE="text-align: left;" (editable)
extent	OBJECT	000001ED39B43470 (editable)
		#shadow-root	000001ED39B435E0
			CONTENT	000001ED39B436B8
		BUTTON	000001ED39B437C0 (editable)
			DIV	000001ED39B4A398 STYLE="text-align: left;" (editable)
S				RUBY	000001ED39B4A330 CLASS="CLASS11 CLASS13" (editable)
	DIV	000001ED39B45140 (editable)
		RUBY	000001ED39B451F8 CLASS="CLASS11 CLASS13" (editable)
			RTC	000001ED39B45B30 (editable)
E base				DIV	000001ED39B4A8F8 STYLE="text-align: left;" (editable)
				#text	000001ED39B45B98 "\n"
				DIV	000001ED39B49D68 (editable)
					RUBY	000001ED39B49D00 CLASS="CLASS11 CLASS13" (editable)
						RT	000001ED39B49C98 (editable)
							#text	000001ED39B49C48 ""
			#text	000001ED39B45BE8 "\n"

extent = OBJECT@0




Stack trace:
comparePositions<blink::FlatTreeTraversal>(blink::Node * containerA, int offsetA, blink::Node * containerB, int offsetB, bool * disconnected) Line 91
comparePositionsInFlatTree(blink::Node * containerA, int offsetA, blink::Node * containerB, int offsetB, bool * disconnected) Line 190
comparePositions(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & positionA, const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & positionB) Line 303
PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::compareTo(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & other) Line 309
SelectionAdjuster::adjustSelectionInFlatTree(blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > * selectionInFlatTree, const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & selection) Line 174
SelectionEditor::setVisibleSelection(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options) Line 96
FrameSelection::setSelectionAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options, blink::CursorAlignOnScroll align, blink::TextGranularity granularity) Line 329
FrameSelection::setSelection(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options, blink::CursorAlignOnScroll align, blink::TextGranularity granularity) Line 377
Editor::changeSelectionAfterCommand(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options) Line 1112
Editor::reappliedEditing(blink::EditCommandComposition * cmd) Line 752
EditCommandComposition::reapply() Line 140
UndoStack::redo() Line 117
Editor::redo() Line 1021
executeRedo(blink::LocalFrame & frame, blink::Event * __formal, blink::EditorCommandSource __formal, const WTF::String & __formal) Line 1023
Editor::Command::execute(const WTF::String & parameter, blink::Event * triggeringEvent) Line 1786
Document::execCommand(const WTF::String & commandName, bool __formal, const WTF::String & value, blink::ExceptionState & exceptionState) Line 4558
DocumentV8Internal::execCommandMethod(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4134
DocumentV8Internal::execCommandMethodCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4145
v8.dll!v8::internal::FunctionCallbackArguments::Call(void(*)(const v8::FunctionCallbackInfo<v8::Value> &) f) Line 17
v8.dll!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>(v8::internal::Isolate * isolate, v8::internal::`anonymous-namespace'::BuiltinArguments<1> args) Line 4370
v8.dll!v8::internal::Builtin_Impl_HandleApiCall(v8::internal::`anonymous-namespace'::BuiltinArguments<1> args, v8::internal::Isolate * isolate) Line 4387
v8.dll!v8::internal::Builtin_HandleApiCall(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 4384

ClusterFuzz has detected this issue as fixed in range 403457:403667.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5412726637068288

Fuzzer: bj_broddelwerk
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::EditingAlgorithm<blink::FlatTreeTraversal>::editingIgnoresContent
  blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversa
  blink::mostBackwardCaretPosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=370866:370888
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=403457:403667

Minimized Testcase (4.88 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94zUv307tQYAdX9f94Z2AtvisefMNp8YfH8klNH3G9B4JFEM3bJyPbCnZYg2qBli_-pnzzWyjjp2K12g2sLNO-sqiULwzjIsYNFEWlKlCRCGpVkh300VvWY0iUb8gCTZqc5Efr9heeCF7VeEtb0M37BHTVTNA?testcase_id=5412726637068288

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot