Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/895571d680c5aa0ea923a90dabc072f0e76c7aca (Remove redundant SelectionState reassignment.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/022cebe871e53ec3bc6950f747b27a349a0aaf56

commit 022cebe871e53ec3bc6950f747b27a349a0aaf56
Author: Yoichi Osato <yoichio@chromium.org>
Date: Tue Dec 05 06:34:46 2017

Revert "Remove redundant SelectionState reassignment."

This reverts commit 895571d680c5aa0ea923a90dabc072f0e76c7aca.

Reason for revert: This causes HUA.

Original change's description:
> Remove redundant SelectionState reassignment.
> 
> Xor invalidation was shipped:
> https://chromium-review.googlesource.com/c/chromium/src/+/720817
> 
> Then there is no inconsistency SelectionState in layout tree thus
> we can just DCHECK its start/end state.
> 
> Bug:  739062 
> Change-Id: I6bb791568a76d47f7088c692d2960eddc34f570a
> Reviewed-on: https://chromium-review.googlesource.com/798995
> Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
> Commit-Queue: Yoichi Osato <yoichio@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#520869}

TBR=yosin@chromium.org,yoichio@chromium.org,xiaochengh@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  791484 ,  791293 
Change-Id: Ie9679e069bbecc633a5c3818b8c8256598acb433
Reviewed-on: https://chromium-review.googlesource.com/807489
Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Commit-Queue: Yoichi Osato <yoichio@chromium.org>
Cr-Commit-Position: refs/heads/master@{#521625}
[modify] https://crrev.com/022cebe871e53ec3bc6950f747b27a349a0aaf56/third_party/WebKit/Source/core/editing/LayoutSelection.cpp

ClusterFuzz has detected this issue as fixed in range 521624:521625.

Detailed report: https://clusterfuzz.com/testcase?key=5104026843873280

Fuzzer: inferno_layout_test_fuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x610000010b40
Crash State:
  blink::LayoutObject::NextInPreOrder
  blink::ResetOldSelectedLayoutObjects
  blink::LayoutSelection::Commit
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=520867:520872
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=521624:521625

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5104026843873280

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5104026843873280 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 792332  has been merged into this issue.

This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge to M64. Branch:3282

I noticed that reverted change was committed after m64 branch.
No need to cherry-pick.
I'm wondering why this is recognized as M-64 issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot