No CL in the regression range changes the crashed files. The result is the blame information.

Author: keishi
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/76289106923ca18136d25ada17bba767cc22a275
Time: Mon Apr 11 09:22:48 2016
The CL last changed line 1199 of file Range.cpp, which is stack frame 3.

Suspected Project: chromium
Suspected Component: Blink>DOM
================================
Above mentioned is the CL's list from findit, Suspecting the file of "Range.cpp" from the frame #3 .

keishi@: Could you please look into this issue if it is related to your change, else please help us in assigning it to the right owner.

Thanks!

keishi's mechanical change may have caused this if he made a typo somewhere, but I doubt it. This is much more likely to have been caused by r397993. (Ping durga.behera, I'm curious why you did not think this changed "crashed files"?)

This hits a debug assertion:

[136587:136587:0706/105240:1882803280725:INFO:CONSOLE(0)] "SVG's SMIL animations (<animate>, <set>, etc.) are deprecated and will be removed. Please use CSS animations or Web animations instead.", source:  (0)
[1:1:0706/105240:1882803365175:FATAL:Range.h(72)] Check failed: false. DOMExeption should not be thrown.
#0 0x7f5e6e92bbee base::debug::StackTrace::StackTrace()
#1 0x7f5e6e99316f logging::LogMessage::~LogMessage()
#2 0x7f5e657afddf blink::NoExceptionStateAssertionChecker::throwDOMException()
#3 0x7f5e65fd5c75 blink::Range::checkNodeWOffset()
#4 0x7f5e65fd5fdd blink::Range::setEnd()
#5 0x7f5e65fdeb58 blink::Range::Range()
#6 0x7f5e65fd4caa blink::Range::create()
#7 0x7f5e65fda81d blink::Range::cloneRange()
#8 0x7f5e6664a79c blink::SelectionEditor::firstRange()
#9 0x7f5e6662ae21 blink::FrameSelection::firstRange()
#10 0x7f5e665fa778 blink::DOMSelection::getRangeAt()
#11 0x7f5e6594a343 blink::DOMSelectionV8Internal::getRangeAtMethod()
#12 0x7f5e65949ac8 blink::DOMSelectionV8Internal::getRangeAtMethodCallback()
#13 0x7f5e6a7391de v8::internal::FunctionCallbackArguments::Call()
#14 0x7f5e6a7c1a6b v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#15 0x7f5e6a7f7e6b v8::internal::Builtin_Impl_HandleApiCall()
#16 0x7f5e6a7ce009 v8::internal::Builtin_HandleApiCall()
#17 0x383f2b806147 <unknown>

The exception comes from there being no node at offset 3 in BODY; there are only two (a text node \n and a DIV.) So the range being cloned is invalid.

I have attached a hand-minimized repro. More minimization may be possible.

Deleted: fuzz.html 930 bytes

fuzz.html 930 bytes View Download

This is the bug I was looking at a few weeks ago. Mind if I punt this to you? I think you have a clearer idea what needs fixing here.

ClusterFuzz has detected this issue as fixed in range 413090:413122.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6034115761799168

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::Range::checkExtractPrecondition
  blink::Range::surroundContents
  blink::RangeV8Internal::surroundContentsMethodCallback
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=397991:398006
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=413090:413122

Minimized Testcase (3.26 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94_bKbwhCJ8qpyAES8Hr1_MK2vPZomGyJc1I9IqrjlAXlHNREqEevEPRaMVrl3KJ8aPsUi-4ppH7H6SDqh7jF_r686wl3OEtihiRMPqHDi6K7iPZeKoWxUw4iLKQYQgaU9wU3GWy6dDNXj9IqhUiLU-S4h1FA?testcase_id=6034115761799168

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot