Suspected CL could be
https://chromium.googlesource.com/chromium/src//+/7cd91bcaaf5ef14b3e76465b464902cd864eaea0

Suspected CL could be

Last updated by  joone.hur@intel.com weeks ago , please have a look and reassign if needed.

Thank you.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5914537392078848

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000058
Crash State:
  blink::ReplaceSelectionCommand::doApply
  blink::CompositeEditCommand::apply
  blink::executeInsertHTML
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=403423:403429

Minimized Testcase (5.54 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96p8Xkt-uvbCVCgCP4SvQttsoSdVaBLd4bRgevY3MNyZXZ1TVt14doemuc8DsDowGS49hsw_rgKEbpBGzmD__raz2W_YX4ZEWKAHceBnMvZKS2yl4xJb1mtVD1LGIpOHCNrBp6rOBcYYdLKY-GLAMd4h6VXog?testcase_id=5914537392078848

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Still re-producing... :-<

Lower to Pri-2 since real world usage of "InsertHTML" command is low.

nullptr reference of |node->computedStyle()| in handleStyleSpansBeforeInsertion(),
where |node| is BR.

DOM tree at nullptr reference:

insertionPos.showTreeForThis()
BODY	000001A5363E3360 (editable) (focused)
	P	000001A5363E3920 ID="description" (editable)
		SPAN	000001A5363E34E0 (editable)
			P	000001A5363E35A0 (editable)
				A	000001A5363E3D00 (editable)
*					BR	000001A5363E3C98 (editable)
	DIV	000001A5363E3988 ID="console" (editable)
	#text	000001A5363E33C8 "\n        "
	SCRIPT	000001A5363E3418 (editable)
		#text	000001A5363E3490 "\nfunction fuzz() {\ndocument.designMode = 'on';\n  document.execCommand("selectAll");\n  document.execCommand("CreateLink",0,"foo");\n  document.execCommand("inserthtml",false,"<span id='green' style='color:green'>green</span>");\n}\n setTimeout(fuzz); "

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5193744639066112

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000034
Crash State:
  blink::ReplaceSelectionCommand::doApply
  blink::CompositeEditCommand::apply
  blink::executeInsertHTML
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=403423:403432

Minimized Testcase (5.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HhtRRZB9u3LU-1qhOeCRVxTTt8sPUGXctAW80WkWT2MejFtH9Thiti_1IIlZ9C2eSGeH5nlnWJQ7q9LW3Fzlljbx17WG1ifYkyNypnJMCcahew3zD9A6xaWFLQXnuNGt69xLkBKmuDSgaFfrwwvSssW3M3w?testcase_id=5193744639066112

Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 405727:405740.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5193744639066112

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000034
Crash State:
  blink::ReplaceSelectionCommand::doApply
  blink::CompositeEditCommand::apply
  blink::executeInsertHTML
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=403423:403432
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=405727:405740

Minimized Testcase (5.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HhtRRZB9u3LU-1qhOeCRVxTTt8sPUGXctAW80WkWT2MejFtH9Thiti_1IIlZ9C2eSGeH5nlnWJQ7q9LW3Fzlljbx17WG1ifYkyNypnJMCcahew3zD9A6xaWFLQXnuNGt69xLkBKmuDSgaFfrwwvSssW3M3w?testcase_id=5193744639066112

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot