Author: yoichio
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0793f8f201f0a8468e6e3dc5b1a085e4161a684d
Time: Tue Jul 19 23:28:56 2016
Lines 557, 604-620 of file Node.cpp which potentially caused crash are changed in this cl (frame #1, "blink::hasEditableStyle"; frame #2, "blink::Node::hasEditableStyle").
Minimum distance from crash line to modified line: 0. (file: Node.cpp, crashed on: 554, modified: 554).

Suspected Project: chromium
Suspected Component: Blink>DOM

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5264724593999872

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000003
Crash State:
  blink::hasEditableStyle
  blink::Node::hasEditableStyle
  blink::CompositeEditCommand::insertNodeBefore
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=406435:406472

Minimized Testcase (0.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ItagkRnRd0CY3Yh4Jdas3e9-BFp2UAwrICHhDPKfMOpo9_2CBeW25tQnBfu1hpbNy5ZtgELYDyFv6hna8Haa25rbCJnp1o0fF25oktAY6HlXtdS_fRFPOUDMTWjUznXDVUJdUW27CRwslGP0ye3nbPYwIeA?testcase_id=5264724593999872

Filer: mummareddy

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Lower to Pri-2, since real world usage of insertHTML command with display:flex is low.

DOM tree at nullptr reference:

m_endingSelection.showTreeForThis()
BODY	000003C635B83290
	DIV	000003C635B832F8 ID="test" (editable) (focused)
		#text	000003C635B837C8 "\n   x"
		DIV	000003C635B83588 (editable)
			#text	000003C635B835F0 "foo"
		DIV	000003C635B836A8 (editable)
			#text	000003C635B83710 "bar"
SE		#text	000003C635B83360 "x\n  "
	#text	000003C635B833B0 "\n"
	SCRIPT	000003C635B83400
		#text	000003C635B83478 "...script..."
<void>

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 434178:434216.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4624105215361024

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::hasEditableStyle
  blink::Node::hasEditableStyle
  blink::CompositeEditCommand::insertNodeBefore
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=406399:406435
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=434178:434216

Minimized Testcase (9.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv948-ZSDcgLPHvhKQNY9uSUza81szdIzzj65Lw1sMtSySqSMF_kK7j73QgP-3m_wTFoT2BryIXn2inVBgEeDlrvQTtzG_Ejd3gAMSndU5pBDf1XaL4oo9NUutwIkMCbuGUyvw_epUMlfrW-lvBf5ypsNRMchfQ?testcase_id=4624105215361024

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Changing the status to Fixed as per Comment# 6, as Cluster Fuxx detected this issue to be fixed.
Thanks.