Dan, can you please take a look.

eae@ to triage for layout-dev.

+awhalley@

We're cutting an M53 RC today, I don't believe this is warrants blocking that.

This bug is marked as M53 Stable blocker. Fix has to be landed/baked/verified in Canary and merge to M53 branch 2785 latest by 3:00 PM Tuesday (09/06/16) in order to make into next week Stable build cut (sooner the better if possible).

ClusterFuzz has detected this issue as fixed in range 416613:416628.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4853581708787712

Fuzzer: attekett_surku_fuzzer
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0bb1c042c090
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutText
  blink::LayoutBox::nextSiblingBox
  blink::LayoutBlockFlow::layoutBlockChildren
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=396810:396849
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=416613:416628

Minimized Testcase (0.75 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Rj5FIBVpDWL42_68660q1hB4wfIyrpNdKlGYMycqji6Qvf2dmqTVpAiAdqnRB6P29M9iYahS3Po5WJgHIrui_KpD1A1u5vWljqHBbtq3fGG2BcfIY1VI304J7i-MWauMLH2IEN_lwQuQ-jGDeSKYWfrlaXA?testcase_id=4853581708787712
<span id='c2'></span>
<script>

        var callback;
        var fullscreenChanged = function(event)
        {
                callback()
        };
        document.addEventListener('webkitfullscreenchange', fullscreenChanged);

        var span = document.getElementById('c2');
        var div = span.parentNode;
        var spanEnteredFullScreen = function() {
            setTimeout(function () {
                span.appendChild(document.createElement('div'));

window.layoutTestController
;
                
                document.webkitCancelFullScreen();
            }, 0);
        };

        callback = spanEnteredFullScreen;
        document.addEventListener('keydown', function () {
            span.webkitRequestFullScreen();
        });
    </script>



Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M54 (branch: 2840)

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 416613:416628.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4853581708787712

Fuzzer: attekett_surku_fuzzer
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0bb1c042c090
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutText
  blink::LayoutBox::nextSiblingBox
  blink::LayoutBlockFlow::layoutBlockChildren
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=396810:396849
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=416613:416628

Minimized Testcase (0.75 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95Rj5FIBVpDWL42_68660q1hB4wfIyrpNdKlGYMycqji6Qvf2dmqTVpAiAdqnRB6P29M9iYahS3Po5WJgHIrui_KpD1A1u5vWljqHBbtq3fGG2BcfIY1VI304J7i-MWauMLH2IEN_lwQuQ-jGDeSKYWfrlaXA?testcase_id=4853581708787712
<span id='c2'></span>
<script>

        var callback;
        var fullscreenChanged = function(event)
        {
                callback()
        };
        document.addEventListener('webkitfullscreenchange', fullscreenChanged);

        var span = document.getElementById('c2');
        var div = span.parentNode;
        var spanEnteredFullScreen = function() {
            setTimeout(function () {
                span.appendChild(document.createElement('div'));

window.layoutTestController
;
                
                document.webkitCancelFullScreen();
            }, 0);
        };

        callback = spanEnteredFullScreen;
        document.addEventListener('keydown', function () {
            span.webkitRequestFullScreen();
        });
    </script>



Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

No merge needed.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot