Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/549f017c96ad0e70bfce3b6a2248cbf747dde26c (Make unicode-bidi:isolate the default for elements with dir attributes).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

The CL changes the default value of unicode-bidi, so it should be reproducible without it.

yosin@, looks more like editing, any ideas?

Route Blink>Layout, since sample HTML hits DCHECK in LayoutBlockFlowLine.cpp:
LayoutBlockFlowLine.cpp(1182) Check failed: resolver.GetPosition() == end_of_line.

Stack trace:
LayoutBlockFlow::LayoutRunsAndFloatsInRange(blink::LineLayoutState & layout_state, blink::BidiResolver<blink::InlineIterator,blink::BidiRun,blink::BidiIsolatedRun> & resolver, const blink::InlineIterator & clean_line_start, const blink::BidiStatus & clean_line_bidi_status) Line 1184
LayoutBlockFlow::LayoutRunsAndFloats(blink::LineLayoutState & layout_state) Line 1003
LayoutBlockFlow::LayoutInlineChildren(bool relayout_children, blink::LayoutUnit after_edge) Line 1994
LayoutBlockFlow::LayoutChildren(bool relayout_children, blink::SubtreeLayoutScope & layout_scope) Line 574
LayoutBlockFlow::UpdateBlockLayout(bool relayout_children) Line 447
LayoutBlock::UpdateLayout() Line 427
LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox & child, blink::LayoutUnit new_logical_top, blink::BlockChildrenLayoutInfo & layout_info) Line 769
LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox & child, blink::BlockChildrenLayoutInfo & layout_info) Line 830
LayoutBlockFlow::LayoutBlockChildren(bool relayout_children, blink::SubtreeLayoutScope & layout_scope, blink::LayoutUnit before_edge, blink::LayoutUnit after_edge) Line 1536
LayoutBlockFlow::LayoutChildren(bool relayout_children, blink::SubtreeLayoutScope & layout_scope) Line 576
LayoutBlockFlow::UpdateBlockLayout(bool relayout_children) Line 447
LayoutBlock::UpdateLayout() Line 427
LayoutRubyRun::UpdateLayout() Line 223
LayoutObject::LayoutIfNeeded() Line 1124
LayoutBlockFlow::LayoutInlineChildren(bool relayout_children, blink::LayoutUnit after_edge) Line 1975
LayoutBlockFlow::LayoutChildren(bool relayout_children, blink::SubtreeLayoutScope & layout_scope) Line 574
LayoutBlockFlow::UpdateBlockLayout(bool relayout_children) Line 447
LayoutBlock::UpdateLayout() Line 427
LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox & child, blink::LayoutUnit new_logical_top, blink::BlockChildrenLayoutInfo & layout_info) Line 769
LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox & child, blink::BlockChildrenLayoutInfo & layout_info) Line 830
LayoutBlockFlow::LayoutBlockChildren(bool relayout_children, blink::SubtreeLayoutScope & layout_scope, blink::LayoutUnit before_edge, blink::LayoutUnit after_edge) Line 1536
LayoutBlockFlow::LayoutChildren(bool relayout_children, blink::SubtreeLayoutScope & layout_scope) Line 576
LayoutBlockFlow::UpdateBlockLayout(bool relayout_children) Line 447
LayoutBlock::UpdateLayout() Line 427
LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox & child, blink::LayoutUnit new_logical_top, blink::BlockChildrenLayoutInfo & layout_info) Line 769
LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox & child, blink::BlockChildrenLayoutInfo & layout_info) Line 830
LayoutBlockFlow::LayoutBlockChildren(bool relayout_children, blink::SubtreeLayoutScope & layout_scope, blink::LayoutUnit before_edge, blink::LayoutUnit after_edge) Line 1536
LayoutBlockFlow::LayoutChildren(bool relayout_children, blink::SubtreeLayoutScope & layout_scope) Line 576
LayoutBlockFlow::UpdateBlockLayout(bool relayout_children) Line 447
LayoutBlock::UpdateLayout() Line 427
LayoutView::LayoutContent() Line 228
LayoutView::UpdateLayout() Line 320
LocalFrameView::PerformLayout(bool in_subtree_layout) Line 1114
LocalFrameView::UpdateLayout() Line 1297
Document::UpdateStyleAndLayout() Line 2382
Document::UpdateStyleAndLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks run_post_layout_tasks) Line 2475
EnabledSelectAll(blink::LocalFrame & frame, blink::Event *, blink::EditorCommandSource source) Line 2254
Editor::Command::IsEnabled(blink::Event * triggering_event) Line 3059
Editor::Command::Execute(const WTF::String & parameter, blink::Event * triggering_event) Line 3011
Document::execCommand(const WTF::String & command_name, bool, const WTF::String & value, blink::ExceptionState & exception_state) Line 93
DocumentV8Internal::execCommandMethod(const v8::FunctionCallbackInfo<v8::Value> & info) Line 3982
V8Document::execCommandMethodCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 6832
v8.dll!v8::internal::FunctionCallbackArguments::Call(void(*)(const v8::FunctionCallbackInfo<v8::Value> &) f) Line 25
v8.dll!v8::internal::`anonymous namespace'::HandleApiCallHelper<0>(v8::internal::Isolate * isolate, v8::internal::Handle<v8::internal::HeapObject> function, v8::internal::Handle<v8::internal::HeapObject> new_target, v8::internal::Handle<v8::internal::FunctionTemplateInfo> fun_data, v8::internal::Handle<v8::internal::Object> receiver, v8::internal::BuiltinArguments args) Line 112
v8.dll!v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments args, v8::internal::Isolate * isolate) Line 142
v8.dll!v8::internal::Builtin_HandleApiCall(int args_length, v8::internal::Object * * args_object, v8::internal::Isolate * isolate) Line 130

Predator and CL could not provide any possible suspects.
Using the code search for the file, “VisibleUnitsLine.cpp & VisibleUnitsParagraph.cpp” assigning to concern owner from GIT blame.
Suspecting Commit's#
https://chromium.googlesource.com/chromium/src/+/d4e4efc136c41f9182c0143eec4e15f4bc47ac95
https://chromium.googlesource.com/chromium/src/+/d458772d4250347ab3ed34e8cf682b16658d208a

@yosin -- Could you please look into the above commits.

Kindly reassign if it has nothing to do with your changes.

Thank You.

Both CL's listed in #c5 moves code in another file.

The issue exists before these patches, ClusterFuzz reveals the condition to
hit the DCHECK.

Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.

Thank You.

I don't think we should degrade nullptr-deref crash with DCHECK failure, so reverted the summary.

The DCHECK failure looks like  issue 351283  coming back. And this repro uses -webkit-rtl-ordering:visual, the same underlying code as iso-8859-8 used in  issue 351283 .

Setting to p3 given -webkit-rtl-ordering:visual is very rare, and therefor this is unlikely a real crash.

ClusterFuzz has detected this issue as fixed in range 558997:559000.

Detailed report: https://clusterfuzz.com/testcase?key=5513657411960832

Fuzzer: bj_broddelwerk
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000000003d
Crash State:
  blink::RootInlineBox::ClosestLeafChildForLogicalLeftPosition
  blink::NextLinePosition
  blink::NextParagraphPosition
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=362845:363044
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=558997:559000

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5513657411960832

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5513657411960832 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.