Issue 735437  has been merged into this issue.

 Issue 734948  has been merged into this issue.
 Issue 734964  has been merged into this issue.
 Issue 735004  has been merged into this issue.
Issue 735042 has been merged into this issue.
 Issue 735064  has been merged into this issue.
 Issue 735326  has been merged into this issue.

The  issue 735326  is caused by paragraph expansion yields same Text node, "xBxC\n"
where start at 1 and end is 0.

Users experienced this crash on the following builds:

Android Dev 61.0.3129.3 -  1.20 CPM, 50 reports, 26 clients (signature TextIteratorAlgorithm)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Users experienced this crash on the following builds:

Win Canary 61.0.3136.0 -  2.70 CPM, 29 reports, 28 clients (signature blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::Validate)
Mac Canary 61.0.3136.0 -  1.89 CPM, 12 reports, 12 clients (signature blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::Validate)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

ClusterFuzz testcase 4657490305482752 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Issue 734296 has been merged into this issue.

The NextAction date has arrived: 2017-07-10

Marking as RBS since crash due to this bug is seen on Dev:

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20%20AND%20(%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ATextIteratorAlgorithm%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%3A%3ATextIteratorAlgorithm%27%20or%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27TextIteratorAlgorithm%27)&ignore_case=false&enable_rewrite=false&omit_field_name=CrashedStackTrace.StackFrame.FunctionName&omit_field_value=blink%3A%3ATextIteratorAlgorithm%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%3A%3ATextIteratorAlgorithm(blink%3A%3APositionTemplate%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%20const%26%2C%20blink%3A%3APositionTemplate%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%20const%26%2C%20blink%3A%3ATextIteratorBehavior%20const%26)&omit_field_opt=%3D#-samplereports:5,productversion:1000,magicsignature:50

regressed in 61.0.3118.0, #4 renderer crash on Android Dev.

A friendly reminder that M61 branch is coming soon on 07/20! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M61 from a high quality trunk. Thank you.

Just to update the latest behavior of the crash.

This crash doesn't have any instances in latest Canary, dev, beta and stable.

62.0.3165.0	0.77%	4	
61.0.3163.0	0.39%	2	

Link to the list of the builds.

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20%20AND%20(%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ATextIteratorAlgorithm%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%3A%3ATextIteratorAlgorithm%27%20or%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27TextIteratorAlgorithm%27)&ignore_case=false&enable_rewrite=false&omit_field_name=CrashedStackTrace.StackFrame.FunctionName&omit_field_value=blink%3A%3ATextIteratorAlgorithm%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%3A%3ATextIteratorAlgorithm(blink%3A%3APositionTemplate%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%20const%26%2C%20blink%3A%3APositionTemplate%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%20const%26%2C%20blink%3A%3ATextIteratorBehavior%20const%26)&omit_field_opt=%3D#-samplereports:5,productname,productversion:1000,+processtype,magicsignature:50

Thanks!!

Correction
==========

This crash is observed in latest dev on Android.

61.0.3162.3	4.25%	22	-    Dev

Link to the list of the builds.

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20%20AND%20(%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ATextIteratorAlgorithm%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%3A%3ATextIteratorAlgorithm%27%20or%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27TextIteratorAlgorithm%27)&ignore_case=false&enable_rewrite=false&omit_field_name=CrashedStackTrace.StackFrame.FunctionName&omit_field_value=blink%3A%3ATextIteratorAlgorithm%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%3A%3ATextIteratorAlgorithm(blink%3A%3APositionTemplate%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%20const%26%2C%20blink%3A%3APositionTemplate%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%20const%26%2C%20blink%3A%3ATextIteratorBehavior%20const%26)&omit_field_opt=%3D#-samplereports:5,productname,productversion:1000,+processtype,magicsignature:50

Thanks!!

URGENT - PTAL.
Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the M61 branch #3163 ASAP to have enough baking time in Beta before Stable promotion. Thank you!

Know that this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label.

Just to update the latest behavior of the crash.

This crash is still observed in latest dev on Android.

61.0.3163.13	1.09%	6	-    Dev

Link to the list of the builds.

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20%20AND%20(%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ATextIteratorAlgorithm%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%3A%3ATextIteratorAlgorithm%27%20or%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27TextIteratorAlgorithm%27)&ignore_case=false&enable_rewrite=false&omit_field_name=CrashedStackTrace.StackFrame.FunctionName&omit_field_value=blink%3A%3ATextIteratorAlgorithm%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%3A%3ATextIteratorAlgorithm(blink%3A%3APositionTemplate%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%20const%26%2C%20blink%3A%3APositionTemplate%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%20const%26%2C%20blink%3A%3ATextIteratorBehavior%20const%26)&omit_field_opt=%3D#-samplereports:5,productname,productversion:1000,+processtype,magicsignature:50

Can someone from dev team please provide us a update on this issue as this issue is tagged with Release Block Stable.

Thanks!!

Remove "ReleaseBlock-Stable" since crash is instances are small and "ReleaseBlock-Stable" is marked when we use CHECK() in VisibleSelection::Validate()

To fix this bug, we need to revise StartOfWord()/EndOfWord()

ClusterFuzz testcase 6200372480966656 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Still seeing this in M61, 62, and 63, reopening:

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%20like%20%27%25blink%3A%3ATextIteratorAlgorithm%3Cblink%3A%3AEditingAlgorithm%3Cblink%3A%3AFlatTreeTraversal%3E%20%3E%3A%3ATextIteratorAlgorithm%27&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#productversion:1000,magicsignature:50

This is #5 renderer crash on stable, marking as RBS

Probably too late for M61, so will punt to M62.  I'm disappointed we untagged as RB even though aluo@ pointed out this was a #5 crash in dev, yosin@ why did that happen?

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.

Users experienced this crash on the following builds:

Android Dev 63.0.3214.0 -  0.94 CPM, 32 reports, 17 clients (signature blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::TextIteratorAlgorithm)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Mark Available to move this issue into team working queue.

Users experienced this crash on the following builds:

Android Beta 62.0.3202.29 -  0.77 CPM, 13 reports, 12 clients (signature blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::TextIteratorAlgorithm)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Repro steps:

1. Go to omegle.com
2. Type in some interests people are unlikely to have in common with you
3. Tap "Start a chat"
4. While waiting to match with someone, long press "Type your message..."

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/115ef964ad20ac081252d434b5f5219a3b64f892

commit 115ef964ad20ac081252d434b5f5219a3b64f892
Author: Ryan Landay <rlanday@chromium.org>
Date: Fri Sep 29 03:36:25 2017

Fix Android renderer crash when long-pressing certain markup

Long-pressing on a webpage in Android calls
SelectionController::SelectClosestWordFromHitTestResult(), which calls
CreateVisibleSelectionWithGranularity() to attempt to select the closest word.
In some cases, this creates an invalid range (which ends before it starts),
which causes a crash. This is currently the #3 top renderer crash in Chrome 61
for Android. This CL adds a check for an invalid selection range to avoid a
crash that we can merge into the M62 release. We should properly fix
CreateVisibleSelectionWithGranularity() at a later point to not return invalid
ranges.

Bug:  735774 
Change-Id: If035606403df9f3d13961e49dce80f0129b96318
Reviewed-on: https://chromium-review.googlesource.com/691060
Commit-Queue: Ryan Landay <rlanday@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#505283}
[modify] https://crrev.com/115ef964ad20ac081252d434b5f5219a3b64f892/third_party/WebKit/Source/core/editing/SelectionController.cpp

This bug requires manual review: M62 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Has this issue been verified in M63?

The policy is it's supposed to be in Canary for 24 hours before a merge, right? I just installed the latest Chrome Canary, 63.0.3226.0, and it's not fixed there yet (checking the revision log, it looks like I missed that release by a few hours). So I think we need to wait for 24 hours after the next Canary release before doing a merge.

Correct! It is always safe to verify the fix in canary before merging it into beta branch. There will be a new Canary build tonight so you should be able to merge this on Monday.

OmahaProxy says 63.0.3226.0 is still the latest Android Canary release, so I think we need to wait a little longer on this.

Can you verify the fix on Windows or Mac? Canary's version is 63.0.3230.0 for Desktop. 

I don't think so; this is not nearly as high-firing on Mac or Windows as it is on Android. I can't even find it being reported on Windows in an M62 or M63 build.

63.0.3231.0 was pushed to Canary this morning.  Please check.  Thanks.

We're going to need to wait for more crash reports. There are only 15 renderer crashes reported on that version so far.

We still don't have many renderer crash reports on 63.0.3231.0:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20product.Version%3D%2763.0.3231.0%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27&sql_dialect=googlesql&ignore_case=false&enable_rewrite=true&omit_field_name&omit_field_value&omit_field_opt=%3D

We have more reports on 63.0.3232.0, but most of the stack traces are garbled:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20product.Version%3D%2763.0.3232.0%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27&sql_dialect=googlesql&ignore_case=false&enable_rewrite=true&omit_field_name&omit_field_value&omit_field_opt=%3D

Anyway, I'm fairly confident the problem has been fixed. I'm comfortable doing the cherrypick today.

Approving merge for M62. Branch:3202

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c102fec36bba291a97de912e4028ac4e03e6eb36

commit c102fec36bba291a97de912e4028ac4e03e6eb36
Author: Ryan Landay <rlanday@chromium.org>
Date: Wed Oct 04 22:32:51 2017

Fix Android renderer crash when long-pressing certain markup

Long-pressing on a webpage in Android calls
SelectionController::SelectClosestWordFromHitTestResult(), which calls
CreateVisibleSelectionWithGranularity() to attempt to select the closest word.
In some cases, this creates an invalid range (which ends before it starts),
which causes a crash. This is currently the #3 top renderer crash in Chrome 61
for Android. This CL adds a check for an invalid selection range to avoid a
crash that we can merge into the M62 release. We should properly fix
CreateVisibleSelectionWithGranularity() at a later point to not return invalid
ranges.

Bug:  735774 
Change-Id: If035606403df9f3d13961e49dce80f0129b96318
Reviewed-on: https://chromium-review.googlesource.com/691060
Commit-Queue: Ryan Landay <rlanday@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#505283}(cherry picked from commit 115ef964ad20ac081252d434b5f5219a3b64f892)
Reviewed-on: https://chromium-review.googlesource.com/701614
Reviewed-by: Ryan Landay <rlanday@chromium.org>
Cr-Commit-Position: refs/branch-heads/3202@{#581}
Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098}
[modify] https://crrev.com/c102fec36bba291a97de912e4028ac4e03e6eb36/third_party/WebKit/Source/core/editing/SelectionController.cpp

The crash has been fixed for M62. Passing back to yosin@ to determine what to do about the underlying issue.

Since the crash is fixed, can we close this one and file a separate bug for the other issue?

 candrada: sounds good!

Mark Fixed per #c48.
We use the issue 773220 for tracking, since this bug isn't fixed yet.