Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9507dfd8c9dad1847a7440cb8023df080a86f090

commit 9507dfd8c9dad1847a7440cb8023df080a86f090
Author: Darren Shen <shend@chromium.org>
Date: Tue Oct 03 02:28:21 2017

[CSSParser] Fix offset DCHECK crash for observers.

Currently, there's a logical bug when parsing certain invalid CSS with
comments. For example, when we parse:

  @import/**/;

we need to obtain the character offset of the import prelude. We have
two ways of getting the offset: Offset(), which gets the offset of the
character we've consumed up to, and LookAheadOffset(), which gets the
offset of the next character we will consume. There's no difference
between two unless the next token is a comment token, since we skip
comment tokens when consuming. More specifically, the value of Offset
(labelled A) vs LookAheadOffset (labelled B) differs in this test case:

  @import/**/;
         ^   ^
         A   B

Currently we obtain the starting offset of the prelude using B and the
end using A, which is bad because end should not be before start. This
triggers a DCHECK which fails on debug builds, but doesn't really have
an effect on release builds because these rules are invalid and will get
ignored.

We fix this by using LookAheadOffset() for both start and end, so that
this will never happen. There are a few more usages of Offset() that
we will investigate later.

Bug:  770527 
Change-Id: I39b90d2f58617d567075eecb131a6d704b9aeb23
Reviewed-on: https://chromium-review.googlesource.com/696401
Commit-Queue: Darren Shen <shend@chromium.org>
Reviewed-by: nainar <nainar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#505929}
[modify] https://crrev.com/9507dfd8c9dad1847a7440cb8023df080a86f090/third_party/WebKit/LayoutTests/http/tests/devtools/elements/styles-2/parse-comments.html
[modify] https://crrev.com/9507dfd8c9dad1847a7440cb8023df080a86f090/third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp

ClusterFuzz has detected this issue as fixed in range 505918:505937.

Detailed report: https://clusterfuzz.com/testcase?key=4924891114766336

Fuzzer: libFuzzer_stylesheet_contents_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  start <= end in CSSParserImpl.h
  blink::CSSParserImpl::RangeOffset::RangeOffset
  blink::CSSParserImpl::ConsumeAtRule
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=504974:505015
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=505918:505937

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4924891114766336

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4924891114766336 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.