Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/090ef9237a1e1c0c986532ca76d4b85825d7b496 (Reset SelectionState w/o propagation when clear old SeletionState.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/68a0980afbb3a5abcbd433c07f6774b6d732ddc5

commit 68a0980afbb3a5abcbd433c07f6774b6d732ddc5
Author: Yoichi Osato <yoichio@chromium.org>
Date: Fri Nov 03 07:11:40 2017

Revert "Reset SelectionState w/o propagation when clear old SeletionState."

This reverts commit 090ef9237a1e1c0c986532ca76d4b85825d7b496.

Reason for revert:  crbug.com/780558 

Original change's description:
> Reset SelectionState w/o propagation when clear old SeletionState.
> 
> We clear old selected but not selected LayoutObject's SelectionState
> to kNone using LayoutObject::SetSelectionStateIfNeeded().
> However the function calls virtual LayoutObject::SetSelectionState(),
> which change containing blocks' SelectionState.
> This causes inconsistency that marked not kNone LayoutObject can
> accidentally marked kNone.
> 
> This patch changes it to call non virtual
> LayoutObject::SetSelectionState() and assign kNone SelectionState
> to only target old selected LayoutObjects.
> 
> Bug:  739062 
> 
> Change-Id: I9ca736de43a2a982b1e29a1607325a1b77e3c35f
> Reviewed-on: https://chromium-review.googlesource.com/748841
> Commit-Queue: Yoichi Osato <yoichio@chromium.org>
> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#513096}

TBR=yosin@chromium.org,yoichio@chromium.org,xiaochengh@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  739062 ,  780558 
Change-Id: Ibe0945e61bb87079a4a925799e369e4f1e38662d
Reviewed-on: https://chromium-review.googlesource.com/752781
Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Commit-Queue: Yoichi Osato <yoichio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#513715}
[modify] https://crrev.com/68a0980afbb3a5abcbd433c07f6774b6d732ddc5/third_party/WebKit/Source/core/editing/LayoutSelection.cpp
[modify] https://crrev.com/68a0980afbb3a5abcbd433c07f6774b6d732ddc5/third_party/WebKit/Source/core/editing/LayoutSelectionTest.cpp

ClusterFuzz has detected this issue as fixed in range 513713:513729.

Detailed report: https://clusterfuzz.com/testcase?key=5226225743429632

Fuzzer: marty_html_twiddler
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x0670c1c0
Crash State:
  blink::LayoutObject::NextInPreOrder
  blink::CollectInvalidationSet
  blink::LayoutSelection::Commit
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=513092:513098
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=513713:513729

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5226225743429632

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5226225743429632 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot