Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e390302d58681b827ab20c148b0dadccf06dbf19 (Tables with extra wrapping elements can have incorrect row/col info).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

aleventhal: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

aleventhal: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Dominicc - aleventhal@ has failed to respond on this regression. As reviewer, can you please revert the cl.

@inferno, perhaps I was under the mistaken that this was a different crbug. I'll take a look now.

Looks like this is legit and broken on master. I thought it was another dupe of something we fixed.

A fix is under review here:
https://chromium-review.googlesource.com/c/chromium/src/+/906953

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b0d1618cc5e95f77c152022232257b61b61a952e

commit b0d1618cc5e95f77c152022232257b61b61a952e
Author: Aaron Leventhal <aleventhal@chromium.org>
Date: Thu Feb 08 18:57:13 2018

Crash fix for th with role gridcell in a table with nontraditional css

Do not assume we can use ToLayoutCell() in an object that can be created
for an ARIA cell and may not be associated with an actual table cell.

Bug:  798410 
Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3
Reviewed-on: https://chromium-review.googlesource.com/906953
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
Reviewed-by: Nektarios Paisios <nektar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#535462}
[add] https://crrev.com/b0d1618cc5e95f77c152022232257b61b61a952e/third_party/WebKit/LayoutTests/accessibility/table-with-th-role-gridcell-crash.html
[modify] https://crrev.com/b0d1618cc5e95f77c152022232257b61b61a952e/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp

ClusterFuzz has detected this issue as fixed in range 535460:535466.

Detailed report: https://clusterfuzz.com/testcase?key=6526471744258048

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Security DCHECK failure
Crash Address: 
Crash State:
  !object || (object->IsTableCell()) in LayoutTableCell.h
  blink::AXTableCell::ScanToDecideHeaderRole
  blink::AXARIAGridCell::ScanToDecideHeaderRole
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=500415:500471
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=535460:535466

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6526471744258048

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6526471744258048 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M65 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ (Security TPM) for M65 merge review. Pls not that this was regressed in M63. 

govind@ - good for 65

(Note that since it's a security bug, the fact we've shipped with in the past isn't a good indicator we can continue to ship with it :-)

Agree, approving merge to M65 branch 3325 based on comment #23. Please merge ASAP so we can pick it up for this week Beta release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8b82bd215942b4c2fdcaf8dac918ffc249e20c77

commit 8b82bd215942b4c2fdcaf8dac918ffc249e20c77
Author: Aaron Leventhal <aleventhal@chromium.org>
Date: Tue Feb 13 16:54:36 2018

Crash fix for th with role gridcell in a table with nontraditional css

Do not assume we can use ToLayoutCell() in an object that can be created
for an ARIA cell and may not be associated with an actual table cell.

Bug:  798410 
Change-Id: I3db7d09ca146469a4fb87ef04a03e9d4ba8525d3
Reviewed-on: https://chromium-review.googlesource.com/906953
Commit-Queue: Aaron Leventhal <aleventhal@chromium.org>
Reviewed-by: Nektarios Paisios <nektar@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#535462}(cherry picked from commit b0d1618cc5e95f77c152022232257b61b61a952e)
Reviewed-on: https://chromium-review.googlesource.com/916527
Reviewed-by: Aaron Leventhal <aleventhal@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#447}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[add] https://crrev.com/8b82bd215942b4c2fdcaf8dac918ffc249e20c77/third_party/WebKit/LayoutTests/accessibility/table-with-th-role-gridcell-crash.html
[modify] https://crrev.com/8b82bd215942b4c2fdcaf8dac918ffc249e20c77/third_party/WebKit/Source/modules/accessibility/AXTableCell.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot