Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/fc5c3629044888b8d723cc11424879bb883d8d3e (Wrap text child of display:contents in anonymous if necessary.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Note that reproducing requires enabling display:contents which is behind a flag. This is done in the repro step by running with --run-layout-test.

The CL landed after the M64 branch point.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4a7c779ed98e170ce8d51744d59786ad646a80af

commit 4a7c779ed98e170ce8d51744d59786ad646a80af
Author: Rune Lillesveen <futhark@chromium.org>
Date: Mon Dec 11 10:05:04 2017

Add checks for anonymous boxes being of table part.

Anonymous inline wrappers for display:contents were mistakenly assumed
to be anonymous table parts.

Bug:  792439 ,  792946 ,  792550 
Change-Id: Ib7017ff67a8658135d2e08c47f93966d5dbfa5bc
Reviewed-on: https://chromium-review.googlesource.com/817564
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Reviewed-by: Morten Stenshorne <mstensho@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523069}
[modify] https://crrev.com/4a7c779ed98e170ce8d51744d59786ad646a80af/third_party/WebKit/Source/core/layout/LayoutObjectTest.cpp
[modify] https://crrev.com/4a7c779ed98e170ce8d51744d59786ad646a80af/third_party/WebKit/Source/core/layout/LayoutTable.cpp
[modify] https://crrev.com/4a7c779ed98e170ce8d51744d59786ad646a80af/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp

ClusterFuzz testcase 4518132034306048 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[Bulk Edit]

+awhalley@ (Security TPM) for M65 merge review

govind@ - good for 65

Approving merge to M65 branch 3325 based on comment #18. Please merge ASAP so we can pick it up for next week Beta release. Thank you.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Cl listed at #11 is already in M65 branch (3325). 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot