Suspected CLs:
==============
No CL in the regression range changes the crashed files. The result is the blame information.

Author: mjs@apple.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/554c7634cddfec7925865257d362fa718c34ac3a
Time: Thu May 06 22:41:15 2010
The CL last changed line 718 of file Node.h, which is stack frame 0.

Author: hayato
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/45582d25b93f796b89b4207e6a3af66d734ed952
Time: Fri Jul 15 03:54:38 2016
The CL last changed line 450 of file Node.h, which is stack frame 1.

Author: xiaochengh
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/922c87eb33d709ba9fb9332ecde0a1bcf72d86bf
Time: Wed Aug 17 07:33:14 2016
The CL last changed line 107 of file SpellCheckRequester.cpp, which is stack frame 2.

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/0473d027e44c978acfa324890ccfd7f7a53ad7a9
Time: Mon Nov 30 07:42:18 2015
The CL last changed line 281 of file SpellCheckRequester.cpp, which is stack frame 3.

Author: commit-queue@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/b37de73c7644c4edc8292b0cd230cbb22b23e81f
Time: Fri Jun 01 04:00:31 2012
The CL last changed line 51 of file WebTextCheckingCompletionImpl.cpp, which is stack frame 4.

Author: groby@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/4fec7b99e581baff2bebc6ff9897e5bded3d78c9
Time: Thu Nov 01 19:10:37 2012
The CL last changed line 475 of file spellcheck.cc, which is stack frame 5.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/77d41139d261342a429d2775c59d8e8a386d4c81
Time: Wed Mar 09 09:47:03 2016
The CL last changed line 388 of file callback.h, which is stack frame 6.
===================
Suspected Project: chromium
Suspected Component: Blink>DOM

This is impacting to the Head.
From the above suspect list from find-it suspecting the changes made to the file SpellCheckRequester.cpp, which is stack frame 2.
Suspect : https://chromium.googlesource.com/chromium/src/+/922c87eb33d709ba9fb9332ecde0a1bcf72d86bf
xiaochengh@ : Could you please take a look into this if its related to your change.

The culprit is the static function |expandToParagraphRange()| in TextCheckingParagraph.cpp, which tries to return an inconsistent EphemeralRange with start position beyond end position.

DOM tree when this happens:

BODY	0x3fb81cfc37b8 (editable) (focused)
	DIV	0x3fb81cfc4a88 STYLE="text-align: center;" (editable)
	OBJECT	0x3fb81cfc3858 ID="object" (editable)
		#shadow-root	0x3fb81cfc3a30
			CONTENT	0x3fb81cfc3b90
		SELECT	0x3fb81cfc3c80 ID="select1" CLASS="CLASS4"
			#shadow-root	0x3fb81cfc3e60
				CONTENT	0x3fb81cfc3fc0
		BUTTON	0x3fb81cfc40b0 ID="button1" (editable)
			H2	0x3fb81cfc41a8 (editable)
				SMALL	0x3fb81cfc4248 CLASS="CLASS4"
				#text	0x3fb81cfc42e8 "AxBxC a"
		BUTTON	0x3fb81cfc4358 ID="button2" (editable)
			SELECT	0x3fb81cfc4450 ID="select2" (editable)
				#shadow-root	0x3fb81cfc4630
					CONTENT	0x3fb81cfc4790

When the input range is [(<object>, 0), (#text "AxBxC a", 0)], the function tries to return [(<select id="select2">, 0), (#text "AxBxC a", 7)], hitting DCHECK in EphemeralRange's constructor.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8d1974aecc77d407a9ee89d2434f0079b4cc1e40

commit 8d1974aecc77d407a9ee89d2434f0079b4cc1e40
Author: xiaochengh <xiaochengh@chromium.org>
Date: Wed Aug 24 02:15:54 2016

Force expandToParagraphBoundary to return a valid EphemeralRange

This is a first-aid patch that make expandToParagraphBoundary()
compare the paragraph boundaries found with the input range before
returning, so that the returned range is always a super-range of
the input range, and hence, a valid EphemeralRange.

This patch does not fix the root cause of the bugs, as we:
- do not expect startOfParagraph()'s return value to be beyond that of
endOfParagraph()'s, and
- are planning of getting rid of TextCheckingParagraph, the only client
of expandToParagraphBoundary(), ultimately

BUG= 639521 ,  639801 ,  640022 ,  640030 ,  640112 
TEST=n/a; this is a first-aid patch

Review-Url: https://codereview.chromium.org/2271603002
Cr-Commit-Position: refs/heads/master@{#413942}

[modify] https://crrev.com/8d1974aecc77d407a9ee89d2434f0079b4cc1e40/third_party/WebKit/Source/core/editing/spellcheck/TextCheckingParagraph.cpp

ClusterFuzz has detected this issue as fixed in range 413414:413421.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6333805529137152

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000011
Crash State:
  blink::SpellCheckRequester::didCheckSucceed
  blink::WebTextCheckingCompletionImpl::didFinishCheckingText
  SpellCheck::PerformSpellCheck
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=411957:412185
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=413414:413421

Minimized Testcase (1.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Tft9O78awzQv8Gtb5PqCyD30fivy0PBqzVn-gEa-C4NGkDizxSTFmqa732N66IFErLIJ5-l0MgT0TzsdU4pyO4FQUbRhtzQfmfK24jMNIIfTZbRGJD4yLoQqzYAcIFFUYafvhYRMmoGHl1ro3f-k85RF5_w?testcase_id=6333805529137152

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot