Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/5af715b5e1ddba56932bfbdf59ccd42c692ec656 (Change the mojo interface for creating/revoking Blob URLs.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Unlikely to be me since my change shouldn't do anything without special flags enabled.

I didn't see anything super-suspicious in the listed regression range; maybe https://chromium.googlesource.com/chromium/src/+/367b74c54cd90f49f23b931754b1ede9af5df935%5E%21/#F0 which applies an optimization to not update a cache if nodes aren't "connected" to a document? The repro has callbacks that delete selections from the document and set attributes on those elements?

I confirmed reverting #527730 fixed this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e4dc91a1eef20385d060e04760de3641989950e5

commit e4dc91a1eef20385d060e04760de3641989950e5
Author: Adithya Srinivasan <adithyas@chromium.org>
Date: Tue Jan 23 00:28:55 2018

Revert "Skip unnecessary invalidation of document level NodeList caches"

This reverts commit 367b74c54cd90f49f23b931754b1ede9af5df935.

Reason for revert: Turns out it is possible to create a situation where
a form isn't connected but depends on its HTMLFormControlCollection
being invalidated at the document level, because all of its listed
elements are not descendants of the form element itself.

See  https://crbug.com/803352  for such a test case.

Bug:  803352 

Original change's description:
> Skip unnecessary invalidation of document level NodeList caches
>
> We don't have to invalidate the document's NodeLists caches if the
> node isn't connected to the document. This particularly helps with
> avoiding invalidations when creating a document fragment in
> setInnerHTML (The caches should only be invalidated when the contents
> of the document fragment are added to the document).
>
> Bug:
> Change-Id: I42a9ecdcfa2cb81c69749f21a4af61369b670e5a
> Reviewed-on: https://chromium-review.googlesource.com/829613
> Reviewed-by: Kentaro Hara <haraken@chromium.org>
> Reviewed-by: Jeremy Roman <jbroman@chromium.org>
> Commit-Queue: Adithya Srinivasan <adithyas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#527730}

TBR=jbroman@chromium.org,hayato@chromium.org,haraken@chromium.org,adithyas@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Change-Id: Id727740f01418eecdff19ccebbf30e28a2afc815
Reviewed-on: https://chromium-review.googlesource.com/879030
Reviewed-by: Adithya Srinivasan <adithyas@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Adithya Srinivasan <adithyas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531084}
[modify] https://crrev.com/e4dc91a1eef20385d060e04760de3641989950e5/third_party/WebKit/Source/core/dom/ContainerNode.cpp

ClusterFuzz has detected this issue as fixed in range 531013:531086.

Detailed report: https://clusterfuzz.com/testcase?key=5437323839012864

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x60300010f754
Crash State:
  blink::HTMLCollection::NamedItems
  blink::HTMLFormElement::GetNamedElements
  blink::HTMLFormElement::AnonymousNamedGetter
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=527687:527755
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=531013:531086

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5437323839012864

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5437323839012864 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+ awhalley@ (Security TPM) for M65 merge review.

govind@ - good for 65

Approving merge to M65 branch 3325 based on comment #16. Please merge ASAP. Thank you.

awhalley@, is this need a merge to M64?

Re #18: No, the regressing commit 367b74c5... initially landed in 65.0.3316 and was quickly found by the fuzzer.

Thank you elawrence@ for confirming no merge is needed to M64.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/338650d93d3aa88c2ec9ace040e8f10f23ee2a38

commit 338650d93d3aa88c2ec9ace040e8f10f23ee2a38
Author: Adithya Srinivasan <adithyas@chromium.org>
Date: Mon Jan 29 18:30:28 2018

Revert "Skip unnecessary invalidation of document level NodeList caches"

This reverts commit 367b74c54cd90f49f23b931754b1ede9af5df935.

Reason for revert: Turns out it is possible to create a situation where
a form isn't connected but depends on its HTMLFormControlCollection
being invalidated at the document level, because all of its listed
elements are not descendants of the form element itself.

See  https://crbug.com/803352  for such a test case.

Bug:  803352 

Original change's description:
> Skip unnecessary invalidation of document level NodeList caches
>
> We don't have to invalidate the document's NodeLists caches if the
> node isn't connected to the document. This particularly helps with
> avoiding invalidations when creating a document fragment in
> setInnerHTML (The caches should only be invalidated when the contents
> of the document fragment are added to the document).
>
> Bug:
> Change-Id: I42a9ecdcfa2cb81c69749f21a4af61369b670e5a
> Reviewed-on: https://chromium-review.googlesource.com/829613
> Reviewed-by: Kentaro Hara <haraken@chromium.org>
> Reviewed-by: Jeremy Roman <jbroman@chromium.org>
> Commit-Queue: Adithya Srinivasan <adithyas@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#527730}

TBR=jbroman@chromium.org,hayato@chromium.org,haraken@chromium.org,adithyas@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Change-Id: Id727740f01418eecdff19ccebbf30e28a2afc815
Reviewed-on: https://chromium-review.googlesource.com/879030
Reviewed-by: Adithya Srinivasan <adithyas@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Adithya Srinivasan <adithyas@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#531084}(cherry picked from commit e4dc91a1eef20385d060e04760de3641989950e5)
Reviewed-on: https://chromium-review.googlesource.com/891638
Cr-Commit-Position: refs/branch-heads/3325@{#142}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[modify] https://crrev.com/338650d93d3aa88c2ec9ace040e8f10f23ee2a38/third_party/WebKit/Source/core/dom/ContainerNode.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot