This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6719543983734784

Peter, any idea why cfi builds are crashing in sandbox::bpf_dsl ? The bottom frames at end are more interesting.

#5 0x7f51daba0750 blink::(anonymous namespace)::ShadowDepthOf<>()
#6 0x7f51daba05ee blink::TextIteratorAlgorithm<>::Initialize()
#7 0x7f51daba3bec blink::TextIteratorAlgorithm<>::RangeLength()
#8 0x7f51dab7c710 blink::CompositeEditCommand::MoveParagraphs()
#9 0x7f51dab7bec2 blink::CompositeEditCommand::MoveParagraphContentsToNewBlockIfNecessary()
#10 0x7f51dab70717 blink::ApplyStyleCommand::ApplyBlockStyle()
#11 0x7f51dab783dd blink::CompositeEditCommand::Apply()
#12 0x7f51dab373df blink::Editor::ApplyParagraphStyle()
#13 0x7f51dab8673b blink::ExecuteApplyParagraphStyle()

And we have seen similar bugs with crashes in "Bad-cast to sandbox::bpf_dsl", so something is going wrong in cfi builds recently?

Detailed report: https://clusterfuzz.com/testcase?key=6719543983734784

Job Type: mac_asan_chrome
Crash Type: UNKNOWN READ
Crash Address: 0x000000000020
Crash State:
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::In
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::Te
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::Ra
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=338645:338660

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6719543983734784


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Hi yoichio@ - clusterfuzz pointed at https://chromium.googlesource.com/chromium/blink.git/+/9126cdc187f207a3b54b298d9f4999d724270b97 - mind taking a look?  Thanks!

> And we have seen similar bugs with crashes in "Bad-cast to sandbox::bpf_dsl", so something is going wrong in cfi builds recently?

When I was sheriff, I did see other "bad-cast" problem in  issue 704612 .

This is a CFI build issue, see  bug 718867 .

ClusterFuzz has detected this issue as fixed in range 472116:472196.

Detailed report: https://clusterfuzz.com/testcase?key=6515467650072576

Fuzzer: bj_broddelwerk
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f595cc19990
Crash State:
  Bad-cast to sandbox::bpf_dsl::(anonymous namespace)::ReturnResultExprImpl from invalid vptr
  _ZNSt11_Tuple_implILm0EJRKiRKSbItN4base20string16_char_traitsESaItEERKSt6vectorIN5blink23WebCompositionUnderlineESaISA_EERKN3gfx5RangeES1_EE7_M_headERKSJ_
  blink::shadowDepthOf<>
  
Sanitizer: cfi (CFI)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=456721:456818
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=472116:472196

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6515467650072576


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot