Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.
Thank You.

CC'd devs for the recent changes done on the suspect files.

Can't access the test case =(
But it seems that PositionIteratorAlgorithm was constructed from Position, that is null (e.g Position::IsNull() == true) and the Node object inside it is null.
ChildAt() function called in ctor of the PositionIteratorAlgorithm [1].
Can't say more without the test case or detailed stack trace.

[1] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/PositionIterator.cpp?q=PositionIteratorAlgorithm&sq=package:chromium&l=60

Can editing team confirm and triage this?
If the root problem looks DOM API is doing something impossible and
ended up in nullptr deref, please forward this to DOM.

Lowering to P3 due to low usage of Document.execCommand('FormatBlock')

A cleaner version of the ClusterFuzz test case:

<style>
.c8:nth-of-type(2n+1) {
  visibility: collapse;
  display: table-cell;
  content: counter(c, ethiopic-halehame-ti-et) attr(id);
  counter-increment: c 65;
}

#el2 {
  position:absolute;
  top:0px;
  left:0px;
}
</style>
<input id=el11><input id=el2 class=c8>
<script>
document.designMode='on';
document.execCommand('selectall');
document.execCommand('FormatBlock', false, 'pre');
</script>

 Issue 793600  has been merged into this issue.

Thanks for the test case, xiaochengh@!
I'm looking into it.
When running debug build of content_shell for the case, I have the following DCHECK:

FATAL:VisiblePosition.cpp(77)] Check failed: position_with_affinity.IsConnected(). INPUT id="el11"@afterAnchor/TextAffinity::Downstream
0   libbase.dylib                       0x000000011f9cca5e base::debug::StackTrace::StackTrace(unsigned long) + 174
1   libbase.dylib                       0x000000011f9ccaed base::debug::StackTrace::StackTrace(unsigned long) + 29
2   libbase.dylib                       0x000000011f9ccabc base::debug::StackTrace::StackTrace() + 28
3   libbase.dylib                       0x000000011fa7859f logging::LogMessage::~LogMessage() + 479
4   libbase.dylib                       0x000000011fa4fa25 logging::LogMessage::~LogMessage() + 21
5   libblink_core.dylib                 0x000000012cdefa9a blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> >::Create(blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&) + 266
6   libblink_core.dylib                 0x000000012cd990e8 blink::CreateVisiblePosition(blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::TextAffinity) + 72
7   libblink_core.dylib                 0x000000012ce7c234 blink::FormatBlockCommand::FormatRange(blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::PositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::HTMLElement*&, blink::EditingState*) + 1956
8   libblink_core.dylib                 0x000000012ce0531d blink::ApplyBlockElementCommand::FormatSelection(blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::EditingState*) + 1245
9   libblink_core.dylib                 0x000000012ce7b9a8 blink::FormatBlockCommand::FormatSelection(blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::VisiblePositionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::EditingState*) + 88
10  libblink_core.dylib                 0x000000012ce047d6 blink::ApplyBlockElementCommand::DoApply(blink::EditingState*) + 1478

Also I tried to revert my suspecting commit https://chromium.googlesource.com/chromium/src/+/3292bf38eb80cb87d701ce761dd36584318926ea
For debug build it doesn't help and DHECK is still triggered.
Will make a release build to reproduce crash without dchecks.

It looks like the |position| objects here [1] is not connected (Position::IsConnected() == false).
That's why |AdjustPositionForBackwardIteration<Strategy>(position)| will return a null position and the PositionIteratorAlgorithm can't handle it.

I personally think that my changes like patch [2] are unrelated to the problem, please correct me if I wrong.
As a quick fix we can check for the disconnected position and return from MostBackwardCaretPosition or even earlier. I checked this case and the crash is gone.
Also looks like that we can change PositionIteratorAlgorithm ctor so it will handle null |anchor_node|, maybe with DCHECK() for that.

xiaochengh@, WDYT?

[1] https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/VisibleUnits.cpp?q=MostBackwardCaretPosition&sq=package:chromium&l=976
[2]  https://chromium.googlesource.com/chromium/src/+/3292bf38eb80cb87d701ce761dd36584318926ea

Adding some extra null/invalid position check seems fine.

Unless we have a more systematic fix for such issues, but we currently don't.

ClusterFuzz testcase 5707198025170944 is flaky and no longer crashes, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz testcase 6071858196905984 is still reproducing on tip-of-tree build (trunk).

If this testcase was not reproducible locally or unworkable, ignore this notification and we will file another bug soon with hopefully a better and workable testcase.

Otherwise, if this is not intended to be fixed (e.g. this is an intentional crash), please add ClusterFuzz-Ignore label to prevent future bug filing with similar crash stacktrace.