Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/68c4cdbe80c1a578c9321d2a98f61939fc54c39d (Allow for paint offset roots that don't have PaintLayers.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

I'm looking at these null pointer in theme code bugs. This is the second (see also https://bugs.chromium.org/p/chromium/issues/detail?id=779377).

 Issue 781809  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1

commit a1c0004ec1034fa715ded22620f3b7c7b3cef6d1
Author: Stephen Chenney <schenney@chromium.org>
Date: Tue Nov 14 03:35:08 2017

Avoid null Node pointers in theme painting code

A recent change to reduce the dependence of theme
code on layout objects changed painting code to take Node
objects instead of LayoutObjects. However, Node can be null
for anonymous layout objects, and the theme code crashes
when accessing this null node in numerous places.

As part of this patch, all of the uses of Node in the theme
painting code were audited to identify potential null accesses.
The sites affected have been changed to either check for null
or take a Document as an argument to avoid the node access.

R=eae@chromium.org
BUG= 782817 , 779377 

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: I409ea5f16f462d959cf2864b7019ca9ca0bf22c2
Reviewed-on: https://chromium-review.googlesource.com/764447
Reviewed-by: Emil A Eklund <eae@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/heads/master@{#516175}
[add] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/LayoutTests/paint/theme/anonymous-element-border-painting-expected.txt
[add] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/LayoutTests/paint/theme/anonymous-element-border-painting.html
[add] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/LayoutTests/paint/theme/anonymous-element-menulist-painting-expected.txt
[add] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/LayoutTests/paint/theme/anonymous-element-menulist-painting.html
[modify] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/Source/core/paint/BoxPainter.cpp
[modify] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/Source/core/paint/ThemePainter.cpp
[modify] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/Source/core/paint/ThemePainter.h
[modify] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/Source/core/paint/ThemePainterDefault.cpp
[modify] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/Source/core/paint/ThemePainterDefault.h
[modify] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/Source/core/paint/ThemePainterMac.h
[modify] https://crrev.com/a1c0004ec1034fa715ded22620f3b7c7b3cef6d1/third_party/WebKit/Source/core/paint/ThemePainterMac.mm

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/444367bed510036efd5684ba1bb31746c3449cbe

commit 444367bed510036efd5684ba1bb31746c3449cbe
Author: Stephen Chenney <schenney@chromium.org>
Date: Thu Nov 16 20:29:52 2017

Avoid null Node pointers in theme painting code

M-63 Merge.

A recent change to reduce the dependence of theme
code on layout objects changed painting code to take Node
objects instead of LayoutObjects. However, Node can be null
for anonymous layout objects, and the theme code crashes
when accessing this null node in numerous places.

As part of this patch, all of the uses of Node in the theme
painting code were audited to identify potential null accesses.
The sites affected have been changed to either check for null
or take a Document as an argument to avoid the node access.

TBR=​eae@chromium.org
BUG= 782817 , 779377 

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: I409ea5f16f462d959cf2864b7019ca9ca0bf22c2
Reviewed-on: https://chromium-review.googlesource.com/764447
Reviewed-by: Emil A Eklund <eae@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#516175}(cherry picked from commit a1c0004ec1034fa715ded22620f3b7c7b3cef6d1)
Reviewed-on: https://chromium-review.googlesource.com/775001
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239@{#522}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[add] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/LayoutTests/paint/theme/anonymous-element-border-painting-expected.txt
[add] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/LayoutTests/paint/theme/anonymous-element-border-painting.html
[add] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/LayoutTests/paint/theme/anonymous-element-menulist-painting-expected.txt
[add] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/LayoutTests/paint/theme/anonymous-element-menulist-painting.html
[modify] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/Source/core/paint/BoxPainter.cpp
[modify] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/Source/core/paint/ThemePainter.cpp
[modify] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/Source/core/paint/ThemePainter.h
[modify] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/Source/core/paint/ThemePainterDefault.cpp
[modify] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/Source/core/paint/ThemePainterDefault.h
[modify] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/Source/core/paint/ThemePainterMac.h
[modify] https://crrev.com/444367bed510036efd5684ba1bb31746c3449cbe/third_party/WebKit/Source/core/paint/ThemePainterMac.mm

ClusterFuzz has detected this issue as fixed in range 514498:517702.

Detailed report: https://clusterfuzz.com/testcase?key=6532150815096832

Fuzzer: inferno_layout_test_fuzzer
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::Node::GetDocument
  blink::ThemePainterDefault::SetupMenuListArrow
  blink::ThemePainterDefault::PaintMenuList
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=508795:508862
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=514498:517702

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6532150815096832

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4709981143433216 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.