Suspected CLs	The result is a list of CLs that change the crashed files.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/1d5b6507ac2cbfdbb733cbefa1dbbce091b11a06
Time: Wed May 11 17:13:12 2016
Lines 2018 of file HTMLSelectElement.cpp which potentially caused crash are changed in this cl (frame #1, "blink::HTMLSelectElement::PopupUpdater::call").
Minimum distance from crash line to modified line: 0. (file: HTMLSelectElement.cpp, crashed on: 2015, modified: 2015).

Suspected Project: chromium
Suspected Component: Blink>HTML



From the above suspected CL:
---------------------------
Assigning it to tkent@: Hey, would you mind checking the above issue and see if it's related to your change.

Thank you!

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6d47f4e6911287f41bbad2f1456b19bc59b8d6fe

commit 6d47f4e6911287f41bbad2f1456b19bc59b8d6fe
Author: tkent <tkent@chromium.org>
Date: Tue Jun 07 08:07:24 2016

SELECT popup: Fix a crash by DOM mutation during opening popup.

A mutation callback can be called after MutationObserver is disconnected
because MutationRecords are queued.

BUG= 617578 

Review-Url: https://codereview.chromium.org/2040123002
Cr-Commit-Position: refs/heads/master@{#398244}

[add] https://crrev.com/6d47f4e6911287f41bbad2f1456b19bc59b8d6fe/third_party/WebKit/LayoutTests/fast/forms/select/menulist-popup-mutation-crash.html
[modify] https://crrev.com/6d47f4e6911287f41bbad2f1456b19bc59b8d6fe/third_party/WebKit/Source/core/html/HTMLSelectElement.cpp

ClusterFuzz has detected this issue as fixed in range 398017:398351.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5287873524006912

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::HTMLSelectElement::PopupUpdater::call
  blink::MutationObserver::deliver
  blink::MutationObserver::deliverMutations
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=392933:393031
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=398017:398351

Minimized Testcase (1.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tioRcPk5j8uky8NN1gvoDV-F4WSSzFp3dHLrLx3NuKaWnItTImzDGineSva_3ikPLSyCxhZi04njsq9usJZN2cR_Xnq9BFQ25KO003lGWtKZOX1Pp98Dtc3b9p7B9dmeECbzl6ojU4SqPTwATOmnlBTRnPw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M52 (branch: 2743)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4161f82d4833bdb4a6f6238ea5eca60137f00b9a

commit 4161f82d4833bdb4a6f6238ea5eca60137f00b9a
Author: Kent Tamura <tkent@chromium.org>
Date: Wed Jun 08 23:59:07 2016

Merge "SELECT popup: Fix a crash by DOM mutation during opening popup." to M52 branch.

A mutation callback can be called after MutationObserver is disconnected
because MutationRecords are queued.

BUG= 617578 

Review-Url: https://codereview.chromium.org/2040123002
Cr-Commit-Position: refs/heads/master@{#398244}
(cherry picked from commit 6d47f4e6911287f41bbad2f1456b19bc59b8d6fe)

Review URL: https://codereview.chromium.org/2050923002 .

Cr-Commit-Position: refs/branch-heads/2743@{#288}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[add] https://crrev.com/4161f82d4833bdb4a6f6238ea5eca60137f00b9a/third_party/WebKit/LayoutTests/fast/forms/select/menulist-popup-mutation-crash.html
[modify] https://crrev.com/4161f82d4833bdb4a6f6238ea5eca60137f00b9a/third_party/WebKit/Source/core/html/HTMLSelectElement.cpp

ClusterFuzz has detected this issue as fixed in range 398017:398351.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5287873524006912

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::HTMLSelectElement::PopupUpdater::call
  blink::MutationObserver::deliver
  blink::MutationObserver::deliverMutations
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=392933:393031
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=398017:398351

Minimized Testcase (1.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tioRcPk5j8uky8NN1gvoDV-F4WSSzFp3dHLrLx3NuKaWnItTImzDGineSva_3ikPLSyCxhZi04njsq9usJZN2cR_Xnq9BFQ25KO003lGWtKZOX1Pp98Dtc3b9p7B9dmeECbzl6ojU4SqPTwATOmnlBTRnPw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 398017:398351.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5287873524006912

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::HTMLSelectElement::PopupUpdater::call
  blink::MutationObserver::deliver
  blink::MutationObserver::deliverMutations
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=392933:393031
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=398017:398351

Minimized Testcase (1.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tioRcPk5j8uky8NN1gvoDV-F4WSSzFp3dHLrLx3NuKaWnItTImzDGineSva_3ikPLSyCxhZi04njsq9usJZN2cR_Xnq9BFQ25KO003lGWtKZOX1Pp98Dtc3b9p7B9dmeECbzl6ojU4SqPTwATOmnlBTRnPw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4161f82d4833bdb4a6f6238ea5eca60137f00b9a

commit 4161f82d4833bdb4a6f6238ea5eca60137f00b9a
Author: Kent Tamura <tkent@chromium.org>
Date: Wed Jun 08 23:59:07 2016

Merge "SELECT popup: Fix a crash by DOM mutation during opening popup." to M52 branch.

A mutation callback can be called after MutationObserver is disconnected
because MutationRecords are queued.

BUG= 617578 

Review-Url: https://codereview.chromium.org/2040123002
Cr-Commit-Position: refs/heads/master@{#398244}
(cherry picked from commit 6d47f4e6911287f41bbad2f1456b19bc59b8d6fe)

Review URL: https://codereview.chromium.org/2050923002 .

Cr-Commit-Position: refs/branch-heads/2743@{#288}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[add] https://crrev.com/4161f82d4833bdb4a6f6238ea5eca60137f00b9a/third_party/WebKit/LayoutTests/fast/forms/select/menulist-popup-mutation-crash.html
[modify] https://crrev.com/4161f82d4833bdb4a6f6238ea5eca60137f00b9a/third_party/WebKit/Source/core/html/HTMLSelectElement.cpp

 Issue 624613  has been merged into this issue.

Seems like this CF failure (https://cluster-fuzz.appspot.com/testcase?key=6488266237018112) is related to chrome#51.0.2704.106, so we may need a merge to M51 branch: 2704?

Thank you!

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot