Suspected CLs	Regression information is not available. The result is the blame information.

Author: drott
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2f107292b13c9e63aaf7845d2676ee2ec88abe9b
Time: Wed Apr 13 05:27:04 2016
The CL last changed line 48 of file CaseMappingHarfBuzzBufferFiller.cpp, which is stack frame 0.

Author: drott
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/2f107292b13c9e63aaf7845d2676ee2ec88abe9b
Time: Wed Apr 13 05:27:04 2016
The CL last changed line 530 of file HarfBuzzShaper.cpp, which is stack frame 1.

Author: eae@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7b8e339fefbc70518f203cd0d59e6eaa876eae32
Time: Wed Jul 08 15:50:09 2015
The CL last changed line 82 of file CachingWordShapeIterator.h, which is stack frame 2.

Author: kojii
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/dcc13470a445d27e0d1722799f8ab780be8c90a1
Time: Tue Mar 15 00:40:59 2016
The CL last changed line 95 of file CachingWordShapeIterator.h, which is stack frame 3.

Author: kojii
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f41398ad3df1c472237bfc07c9085d2d257bfd5e
Time: Mon Dec 21 15:47:55 2015
The CL last changed line 171 of file CachingWordShapeIterator.h, which is stack frame 4.

Author: kojii
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f41398ad3df1c472237bfc07c9085d2d257bfd5e
Time: Mon Dec 21 15:47:55 2015
The CL last changed line 103 of file CachingWordShapeIterator.h, which is stack frame 5.

Author: kojii@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a5a2a2b316e2dcd0b64371e88e96165c1b286bb4
Time: Tue Aug 11 16:39:01 2015
The CL last changed line 71 of file CachingWordShapeIterator.h, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Fonts

drott@: Could you please take a look at this and confirm if the change from stack frame 0 is related from the above Suspected CLs by Findit.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5999453127573504

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  caseMappedText.length() == bufferLength
  blink::CaseMappingHarfBuzzBufferFiller::CaseMappingHarfBuzzBufferFiller
  blink::HarfBuzzShaper::shapeResult
  

Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95LEM_eia-LNcDDmNyXFSqxiOiACJYrdVfXUEsXZ24fllWql10P6CFxAfDpWY9wJAHyImkXAmtQSEc0S1ebiYpssrD3DhmLvHzQ4h0jukJ39ogQ-c7WzplIOG4A5OG8iLodv6BsBZYWl2F_RIvDKRmns4hPjw
 o&#x1f96;<style>
* { empty-cells: 54%; font-variant-caps: all-petite-caps;


Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

From findit tool:

Author: eae
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/08155c60a0a3c96467ff477b4039ed5447b0965b
Time: Mon May 02 10:48:26 2016
The CL last changed line 84 of file CachingWordShapeIterator.h, which is stack frame 2.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/de2db20f1ddb41f0c8de88ab9d376cbf40769a0c

commit de2db20f1ddb41f0c8de88ab9d376cbf40769a0c
Author: drott <drott@chromium.org>
Date: Wed Jun 29 12:01:05 2016

Fix case mapping buffer length divergence for synthetic caps

And provide locale to case WTF::String's upper implementation, which is
based on ICU transliterators. This fix handles all cases of Unicode's
SpecialCasing.txt case mapping rules list where the base character is
extended to two or more characters after case mapping, except those
cases where context is required. The latter case is tracked in
 crbug.com/623940  and depends on ICU streaming uppercase API support.

Fix by adding multiple characters after case mapping to the same
HarfBuzz cluster index, which is nicely compatible with our previous
approaches for shaping result extraction, text selection, etc.

BUG= 589335 , 605067 
R=eae,behdad

Review-Url: https://codereview.chromium.org/2102113002
Cr-Commit-Position: refs/heads/master@{#402782}

[modify] https://crrev.com/de2db20f1ddb41f0c8de88ab9d376cbf40769a0c/third_party/WebKit/LayoutTests/TestExpectations
[add] https://crrev.com/de2db20f1ddb41f0c8de88ab9d376cbf40769a0c/third_party/WebKit/LayoutTests/fast/text/font-features/caps-casemapping.html
[modify] https://crrev.com/de2db20f1ddb41f0c8de88ab9d376cbf40769a0c/third_party/WebKit/Source/platform/fonts/shaping/CaseMappingHarfBuzzBufferFiller.cpp
[modify] https://crrev.com/de2db20f1ddb41f0c8de88ab9d376cbf40769a0c/third_party/WebKit/Source/platform/fonts/shaping/CaseMappingHarfBuzzBufferFiller.h
[modify] https://crrev.com/de2db20f1ddb41f0c8de88ab9d376cbf40769a0c/third_party/WebKit/Source/platform/fonts/shaping/HarfBuzzShaper.cpp

ClusterFuzz has detected this issue as fixed in range 402781:402790.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5839244571967488

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  caseMappedText.length() == bufferLength
  blink::CaseMappingHarfBuzzBufferFiller::CaseMappingHarfBuzzBufferFiller
  blink::HarfBuzzShaper::shapeResult
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=402781:402790

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96tYY-T_vTZIfzUDKEqnQAmFa1QEAKVXEr7WjmijT7HeNAvIIJGl64A10qJNrlCbINDBkbnI5egHK7nIiziXs4SgPCaLqw8-cfxn0ki-0XrXpQBbF1A16hpCpP3uffqPhfOqaJT78Y-OmxwDnsWVuxCWUwpyQ?testcase_id=5839244571967488
>&#xfb06;<style>
@keyframes cfpulse2 { 0% { opacity: 0.5458;  } 
 100% { opacity: 0.4468; quotes: "<>" "‹" "›";  } }
* { animation-name: cfpulse97;0.486000); font-variant: small-caps;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 402781:402790.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5999453127573504

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  caseMappedText.length() == bufferLength
  blink::CaseMappingHarfBuzzBufferFiller::CaseMappingHarfBuzzBufferFiller
  blink::HarfBuzzShaper::shapeResult
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=402781:402790

Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv940GgHrYc19HK3tQiuAJBR0HawyxN2yPaGPbhIqmpiGeMWRNPEXP5retyoQwq0RiHKyTVaMcSbWN1vECMhGnDLGsKIyHVLjvLpAj7OJMpPiTDDOVBTfc-m1bS-iPffZF0KvxYY2hZf4Zu4_rfQVzOS4B74vQA?testcase_id=5999453127573504
 o&#x1f96;<style>
* { empty-cells: 54%; font-variant-caps: all-petite-caps;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot