Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.
Thank You.

I'll take a look for IdleSpellCheckCallback

This is again due to insufficient sanitization of positions restored from UndoStack.

Minimum repro:

<div contenteditable id=host></div>
<div contenteditable id=other>foo bar baz.</div>
<script>
// Must be long enough so that SimplifiedBackwardsTextIterator is used to compute the checking range
host.innerHTML = 'bla. '.repeat(256);
host.focus();
getSelection().collapse(host, 1);
document.execCommand('insertText', false, 'zz..');
host.firstChild.deleteData(host.firstChild.length - 1, 1);

// Now the undo stack stores an invalid ending selection for the insertTextCommand

// Move selection the other editable, so that spellchecker computes the checking range in the first editable using the selection stored in UndoStack instead of the current selection
other.focus();

// Hit DCHECK when spellchecker is invoked
</script>

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0983bb664cb182476d81f806691cbda8ad58e95a

commit 0983bb664cb182476d81f806691cbda8ad58e95a
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Thu Oct 12 01:51:59 2017

Add offset range check in PositionTemplate::IsValidFor()

A stored Position can be invalidated when DOM mutations decreases the
max offset in its anchor node, making the stored offset invalid.

This patch adds the check to declare such positions as invalid, so that
we won't be mistakenly using it in, for example, spellchecker.

Bug:  772718 
Change-Id: I4b520c421adf1a3ff903785cbfb430f3e7751a33
Reviewed-on: https://chromium-review.googlesource.com/707687
Commit-Queue: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508216}
[modify] https://crrev.com/0983bb664cb182476d81f806691cbda8ad58e95a/third_party/WebKit/LayoutTests/editing/spelling/spelling-changed-text.html
[modify] https://crrev.com/0983bb664cb182476d81f806691cbda8ad58e95a/third_party/WebKit/Source/core/editing/Position.cpp

ClusterFuzz testcase 5768108689326080 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

Reopen as of #7.

There's another crash cause in the repro case that, we ended up with an invalid FrameSelection. It crashes when IdleSpellCheckCallback::HotModeInvocation() is called on that invalid FrameSelection.

Re-assign to yosin@, who understands the SelectionEditor, the class maintaining FrameSelection upon DOM changes.

>#c9, could you explain about "invalid FrameSelection"?
Is IdleSpellCheckCallback::HotModeInvocation() called for detached frame?
Or, failed to relocate SelectionInDOMTree in SelectionEditor?

#10: IdleSpellCheckCallback can't be called on detached frame, since it's already a DocumentShutdownObserver.

I suspect that SelectionEditor failed to relocate SelectionInDOMTree, as when spellchecker was checking GetFrame().Selection().GetSelectionInDOMTree().Extent(), it got a text-anchored position with an out-of-bound offset, and hence, hitting a DCHECK

ClusterFuzz has detected this issue as fixed in range 510178:510268.

Detailed report: https://clusterfuzz.com/testcase?key=5768108689326080

Fuzzer: bj_broddelwerk
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Breakpoint
Crash Address: 0x08aea880
Crash State:
  blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N
  blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N
  blink::SimplifiedBackwardsTextIteratorAlgorithm<blink::EditingAlgorithm<blink::N
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=471041:471079
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=510178:510268

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5768108689326080

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5768108689326080 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.