Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: rune@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/192cf55fa442b0f947d52f7343a76565c4622273
Time: Wed Mar 04 19:57:51 2015
The CL last changed line 66 of file StyleEngine.h, which is stack frame 0.

Author: rune@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/192cf55fa442b0f947d52f7343a76565c4622273
Time: Wed Mar 04 19:57:51 2015
The CL last changed line 1983 of file Document.cpp, which is stack frame 1.

Author: nainar
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/52328753422fc25a3815bd58f6eaf8e70f6e27ff
Time: Thu May 19 03:04:00 2016
The CL last changed line 2009 of file Document.cpp, which is stack frame 2.

Author: nainar
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/52328753422fc25a3815bd58f6eaf8e70f6e27ff
Time: Thu May 19 03:04:00 2016
The CL last changed line 1099 of file TextIterator.cpp, which is stack frame 3.

Author: sigbjornf@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/9bc725c0c136c2749ba5caff77fa649908c10f5e
Time: Fri Sep 11 08:07:06 2015
The CL last changed line 220 of file TextCheckingHelper.cpp, which is stack frame 4.

Author: sigbjornf@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0606d4d04b9ffe1a9d5e47a387e0fe5ea5f83376
Time: Thu Sep 10 13:06:12 2015
The CL last changed line 73 of file TextCheckingHelper.h, which is stack frame 5.

Author: morrita@google.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/334b167cb1f221f9e18ad5407bce00030fecdc47
Time: Fri Nov 12 09:24:11 2010
The CL last changed line 196 of file TextCheckingHelper.cpp, which is stack frame 6.

Suspected Project: chromium-blink
Suspected Component: Blink>DOM

Cc'ing Devs from the Find it result to have more inputs on this.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4767447295197184

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000038f
Crash State:
  blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets
  blink::Document::updateStyleAndLayoutIgnorePendingStylesheets
  blink::Internals::updateLayoutIgnorePendingStylesheetsAndRunPostLayoutTasks
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=398496:398502

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94mWlQsblmwKNNBCqKLebBn2jTFamXJ8npO0NZ8DHveIUCi4QHZsB1FVyPu6cjFvYdZ_G_GhqVyLKMYnzDEj0pDnZmZOS7y-zQHeAHyrAfyWxAglpHHiCixQX5qew9Cj8wtksx_kb2nQufVhCDQ6CXeCmpLIA

Additional requirements: Requires Gestures

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

In review: crrev.com/2059663002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce

commit 874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce
Author: yosin <yosin@chromium.org>
Date: Fri Jun 10 10:38:44 2016

Make flat tree version RenderedPosition constructor to work on flat tree

This patch makes flat tree version of |RenderedPosition| constructor to work
on flat tree rather than DOM tree to calculate inline box position for
flat tree position correctly.

Before this patch, flat tree version of |RenderedPosition| constructor uses
|toPositionInDOMTree()|, but id doesn't work well for children of shadow
root and insertion point, e.g. CONENT elements and SLOT elements.

In attached layout test, |RenderedPosition| constructor attempts to compute
for CONTENT element in DETAIL element.

BUG= 616070 ,  618421 
TEST=LayoutTests/editing/selection/select_all/select_all_details_crash.html

Review-Url: https://codereview.chromium.org/2059663002
Cr-Commit-Position: refs/heads/master@{#399150}

[add] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/LayoutTests/editing/selection/select_all/select_all_details_crash.html
[modify] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/Source/core/editing/RenderedPosition.cpp

Looks like the issue still persists and impacting the Head as detected by Clusterfuzz.
yosin@ : Could you please take a look into this.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5572962707308544

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000387
Crash State:
  blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets
  blink::Document::updateStyleAndLayoutIgnorePendingStylesheets
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::ra
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=399164:399271

Minimized Testcase (2.46 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Hvc31x71uaHu18aXEs2M8O3P_FnXnZ_Y2IUL0ty7jZ4LivCQi3a0fEbq0LoFg3wxC3z4QuxZp5fV7pjr_CdmJLwI9DDBMKK4Gmw08LSDqZVGQeqOLR21xBeqUjTmeecn_12B344V0xBGTWOzaG-YNaWr31A

Filer: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce

commit 874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce
Author: yosin <yosin@chromium.org>
Date: Fri Jun 10 10:38:44 2016

Make flat tree version RenderedPosition constructor to work on flat tree

This patch makes flat tree version of |RenderedPosition| constructor to work
on flat tree rather than DOM tree to calculate inline box position for
flat tree position correctly.

Before this patch, flat tree version of |RenderedPosition| constructor uses
|toPositionInDOMTree()|, but id doesn't work well for children of shadow
root and insertion point, e.g. CONENT elements and SLOT elements.

In attached layout test, |RenderedPosition| constructor attempts to compute
for CONTENT element in DETAIL element.

BUG= 616070 ,  618421 
TEST=LayoutTests/editing/selection/select_all/select_all_details_crash.html

Review-Url: https://codereview.chromium.org/2059663002
Cr-Commit-Position: refs/heads/master@{#399150}

[add] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/LayoutTests/editing/selection/select_all/select_all_details_crash.html
[modify] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/Source/core/editing/RenderedPosition.cpp

ClusterFuzz has detected this issue as fixed in range 413791:414128.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5833957778391040

Fuzzer: bj_broddelwerk
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000508
Crash State:
  blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets
  blink::Document::updateStyleAndLayoutIgnorePendingStylesheets
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::ra
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=371187:371278
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=413791:414128

Minimized Testcase (1.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97cVr46d0jcJibrf5Q8SBxChn2NvhnIVLn30TdxlYq8jJ4vBIDRf7sH8l-49XqKgj8e8Ti1hP-UHCC7unHBRMnr0oHDt0_Jmo8iGDufRoEYuIq__zJxs9AuG-0lSpkXuEeMges8xlA42GLCw2Yb6V2npo6IIQ?testcase_id=5833957778391040

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot