Suspected CLs	The result is a list of CLs that change the crashed files.

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b1d4fb057bdf2189888d502c47ba901f5d5da247
Time: Mon Nov 30 07:09:32 2015
File Position.cpp is changed in this cl (and is part of stack frame #3, "blink::comparePositions")
Minimum distance from crash line to modified line: 5. (file: Position.cpp, crashed on: 299, modified: 294).

Suspected Project: chromium
Suspected Component: Blink>Editing

yosin@: Could you please take a look at this based on the above Find it result.

We should re-validate selection stored in undo stack at Editor::unappliedEditing().
WIP patch: http://crrev.com/2153043002

DOM tree at assertion:

newSelection.showTreeForThis()
BODY	0000013DC8CC33A8 (editable) (focused)
	OPTION	0000013DC8CC4F18 (editable)
		#shadow-root	0000013DC8CC4F90
		#text	0000013DC8CC5060 "\n"
SE		OBJECT	0000013DC8CC3410 (editable)
SE			#shadow-root	0000013DC8CC3580
SE				CONTENT	0000013DC8CC3650
			#text	0000013DC8CC3708 "\n"
			KBDNL"	0000013DC8CC3758 (editable)
				#text	0000013DC8CC37C0 "\n"
				ABBR	0000013DC8CC3810 (editable)
					#text	0000013DC8CC3878 "\n"
					SAMP	0000013DC8CC38C8 (editable)
						#text	0000013DC8CC3930 "\n"
						INS	0000013DC8CC3980 (editable)
							#text	0000013DC8CC39E8 "\n"
							FORM	0000013DC8CC3A38 (editable)
								#text	0000013DC8CC3B00 "\n"
								PRE	0000013DC8CC3B50 (editable)
									BDO	0000013DC8CC3BB8 (editable)
										#text	0000013DC8CC3C20 "\n"
										svg	0000013DC8CC3C70 (editable)
											#text	0000013DC8CC3DC8 "\n"
											buttonnl"	0000013DC8CC3E18 (editable)
												#text	0000013DC8CC3EC8 "\n"
												input	0000013DC8CC3F18 (editable)
													#text	0000013DC8CC3FC8 "\n"
													svg	0000013DC8CC4018 (editable)
														#text	0000013DC8CC4170 "\n"
														foreignObject	0000013DC8CC41C0 (editable)
															#text	0000013DC8CC42C0 "\n"
															DIV	0000013DC8CC4310 (editable)
																#text	0000013DC8CC4378 "\n"
																DL	0000013DC8CC43C8 (editable)
																	#text	0000013DC8CC4430 "\n"
																	H1	0000013DC8CC4480 (editable)
																		#text	0000013DC8CC44E8 "\n"
																		TABLE	0000013DC8CC4538 (editable)
																			#text	0000013DC8CC4620 "\n"
																			CAPTION	0000013DC8CC45B8 (editable)
																				#text	0000013DC8CC4670 "\n"
																				TEXTAREA	0000013DC8CC46C0 (editable)
																					#shadow-root	0000013DC8CC47A8
																						DIV	0000013DC8CC4878 ID="inner-editor"
																				#text	0000013DC8CC48E0 "\n"
																				SELECT	0000013DC8CC4930 (editable)
																					#shadow-root	0000013DC8CC4A90
																						CONTENT	0000013DC8CC4B60
																					#text	0000013DC8CC4C18 "\n"
																					OPTGROUP	0000013DC8CC4C68 (editable)
																						#shadow-root	0000013DC8CC4CD8
																							DIV	0000013DC8CC4DA8 ID="optgroup-label" STYLE="padding: 0px 2px 1px; min-height: 1.2em;"
																							CONTENT	0000013DC8CC4E10
																						#text	0000013DC8CC4EC8 "\n"
																						OPTION	0000013DC8CC50B0 CLASS="CLASS3" (editable)
																							#shadow-root	0000013DC8CC5128
<void>

Stack at DCHECK:

blink_core.dll!blink::comparePositions<blink::FlatTreeTraversal>(blink::Node * containerA, int offsetA, blink::Node * containerB, int offsetB, bool * disconnected) Line 113
blink_core.dll!blink::comparePositionsInFlatTree(blink::Node * containerA, int offsetA, blink::Node * containerB, int offsetB, bool * disconnected) Line 212
blink_core.dll!blink::comparePositions(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & positionA, const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & positionB) Line 307
blink_core.dll!blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::compareTo(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & other) Line 313
blink_core.dll!blink::SelectionAdjuster::adjustSelectionInFlatTree(blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > * selectionInFlatTree, const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & selection) Line 174
blink_core.dll!blink::SelectionEditor::setVisibleSelection(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options) Line 106
blink_core.dll!blink::FrameSelection::setSelectionAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options, blink::CursorAlignOnScroll align, blink::TextGranularity granularity) Line 323
blink_core.dll!blink::FrameSelection::setSelection(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options, blink::CursorAlignOnScroll align, blink::TextGranularity granularity) Line 389
>	blink_core.dll!blink::Editor::changeSelectionAfterCommand(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options) Line 1182
blink_core.dll!blink::Editor::unappliedEditing(blink::EditCommandComposition * cmd) Line 805
blink_core.dll!blink::EditCommandComposition::unapply() Line 122
blink_core.dll!blink::UndoStack::undo() Line 83
blink_core.dll!blink::Editor::undo() Line 1081
blink_core.dll!blink::executeUndo(blink::LocalFrame & frame, blink::Event * __formal, blink::EditorCommandSource __formal, const WTF::String & __formal) Line 1258
blink_core.dll!blink::Editor::Command::execute(const WTF::String & parameter, blink::Event * triggeringEvent) Line 1827
blink_core.dll!blink::Document::execCommand(const WTF::String & commandName, bool __formal, const WTF::String & value, blink::ExceptionState & exceptionState) Line 4498
blink_core.dll!blink::DocumentV8Internal::execCommandMethod(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4162
blink_core.dll!blink::DocumentV8Internal::execCommandMethodCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4174
v8.dll!v8::internal::FunctionCallbackArguments::Call(void(*)(const v8::FunctionCallbackInfo<v8::Value> &) f) Line 20
v8.dll!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::HeapObject> function, v8::internal::Handle<v8::internal::HeapObject> new_target, v8::internal::Handle<v8::internal::FunctionTemplateInfo> fun_data, v8::internal::Handle<v8::internal::Object> receiver, v8::internal::BuiltinArguments args) Line 4592
v8.dll!v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments args, v8::internal::Isolate * isolate) Line 4619
v8.dll!v8::internal::Builtin_HandleApiCall(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 4607

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/591157b28b2103a21248e0467a387ad789a37a93

commit 591157b28b2103a21248e0467a387ad789a37a93
Author: yosin <yosin@chromium.org>
Date: Thu Jul 21 11:45:26 2016

Make "Undo" command to restore selection after validating with the latest Layout tree

This patch makes |VisibleSelection::validatePositionsIfNeeded()| to validate
selection if positions of selection are connected to ensure selection is
appropriate for setting to |FrameSelection|.

Before this patch, |validatePositionsIfNeeded()| attempts to validate selection
if positions of selection are connected and one of position has out of bound
offset. This causes we attempt to set selection with dirty layout tree.

This patch also updates expectation of "delete-ligature-003.html" for Mac. All platforms
generate same result after this patch.

BUG= 627783 
TEST=run_webkit_unit_tests --gtest_filter=VisibleSelectionTest.validatePositionsIfNeededWithShadowHost
TEST=LayoutTests/editing/deleting/delete-ligature-003.html

Review-Url: https://codereview.chromium.org/2153043002
Cr-Commit-Position: refs/heads/master@{#406819}

[modify] https://crrev.com/591157b28b2103a21248e0467a387ad789a37a93/third_party/WebKit/LayoutTests/editing/deleting/delete-ligature-003.html
[modify] https://crrev.com/591157b28b2103a21248e0467a387ad789a37a93/third_party/WebKit/Source/core/editing/VisibleSelection.cpp
[modify] https://crrev.com/591157b28b2103a21248e0467a387ad789a37a93/third_party/WebKit/Source/core/editing/VisibleSelectionTest.cpp

ClusterFuzz has detected this issue as fixed in range 406809:406906.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5174358700195840

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000011
Crash State:
  blink::Node::updateDistribution
  blink::comparePositions
  blink::normalizeRange
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=362082:362102
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=406809:406906

Minimized Testcase (2.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94WZFmIB4RztfiV7WsPjp6UjatxkeNvlWYu7EZtQok__IahiZ_Z8qdpx1XliWAy1P_0RyGP-8qrWqNU-8Fwr1vWU0OEqA9NE9rVFm-ctkPvDHoN77x9qlAsxHCP7jHqrHepKRmADQH-SDmTc5DaCRuoNVuV7A?testcase_id=5174358700195840

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot