Changelist: https://chromium.googlesource.com/chromium/src//+/cbe9a86098dfc52db1f5a910696a28473a1a54de

rnephew@ could you please look into this. Thanks in advance

That was a revert of someone elses CL because it was causing perf test bot failures while I was sheriffing. I am not really familiar with the code, and probably am not the correct person to look at this. I am adding the author of the original CL. People are working on trying to figure out why the original CL is causing problems in telemetry test runs already; so maybe this should be merged with that? At the very least I think it should be blocked on that CL, so doing so.

tkent, kouhei, does anything in AXLayoutObject::accessibilityHitTest look interesting? Like maybe there's an option whose owner is now null? The repro has an option without select.

(Would be good to bisect this to get a range.)

> does anything in AXLayoutObject::accessibilityHitTest look interesting?
y. will post a CL shortly.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/662ce750c07b7497103d64041cd5a30a9ed90b5c

commit 662ce750c07b7497103d64041cd5a30a9ed90b5c
Author: kouhei <kouhei@chromium.org>
Date: Fri Jul 15 04:33:22 2016

AX hittest shouldn't crash when <option> element doesn't have corresponding <select>

BUG= 628335 

Review-Url: https://codereview.chromium.org/2149343002
Cr-Commit-Position: refs/heads/master@{#405698}

[add] https://crrev.com/662ce750c07b7497103d64041cd5a30a9ed90b5c/third_party/WebKit/LayoutTests/accessibility/accessibility-hit-test-crash-expected.txt
[add] https://crrev.com/662ce750c07b7497103d64041cd5a30a9ed90b5c/third_party/WebKit/LayoutTests/accessibility/accessibility-hit-test-crash.html
[modify] https://crrev.com/662ce750c07b7497103d64041cd5a30a9ed90b5c/third_party/WebKit/Source/modules/accessibility/AXLayoutObject.cpp

ClusterFuzz has detected this issue as fixed in range 405656:405727.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6328202889003008

Fuzzer: inferno_layout_test_fuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::AXLayoutObject::accessibilityHitTest
  blink::WebAXObject::hitTest
  test_runner::WebAXObjectProxy::ElementAtPoint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=290818:290912
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=405656:405727

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97heSmDyA_F3pneY2_GGV-DH5KT-tz44511aSpfqs6NmUnBYzPGZkTtiRtuHNF3MCdPyrxjouvn4VCFicPf_L8hZkLOfbnVOWbChh-nN_4_qmXC7zkKuBodoUJVWEFKgYubW0TkzkIHPbYxD6mWvcytGJOXpA?testcase_id=6328202889003008
<script src="../resources/js-test.js"></script>
<option><style></style><script>
    description();
          var control = accessibilityController.focusedElement.elementAtPoint(100, 100);
    </script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot