Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/dd944882a245a5117b50cb417138d92f32d931d6 (Fix retargeting of result in elementFromPoint and elementsFromPoint).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

ClusterFuzz has detected this issue as fixed in range 531177:531178.

Detailed report: https://clusterfuzz.com/testcase?key=6201073782751232

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x7e9ab2ec3f28
Crash State:
  blink::TreeScope::Retarget
  blink::TreeScope::HitTestPointInternal
  blink::TreeScope::ElementsFromHitTestResult
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=531138:531140
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=531177:531178

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6201073782751232

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6201073782751232 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bb3517a95aa758711ac11927e8f8ebf44f6a272b

commit bb3517a95aa758711ac11927e8f8ebf44f6a272b
Author: Rakina Zata Amni <rakina@chromium.org>
Date: Thu Jan 25 07:29:30 2018

Revert "Revert "Fix retargeting of result in elementFromPoint and elementsFromPoint""

crrev.com/c/808446 is reverted because of failure in ASAN Buildbot
Revert CL Link: crrev.com/c/880264
Failure link: https://uberchromegw.corp.google.com/i/chromium.webkit/builders/WebKit%20Linux%20Trusty%20ASAN/builds/8618

The failure is accessing *target_ancestor_iterator when it is out of bounds.
Link: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/TreeScope.cpp?q=Treescope.cpp&sq=package:chromium&rcl=dd944882a245a5117b50cb417138d92f32d931d6&l=393
as there were no bound checks for target_ancestor_iterator. It wasn't caught
by layout tests because it's still returning the correct results, because
it doesn't crash when getting *target_ancestor_iterator when it's out of bound.
It just stops the while-loop and returned at
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/TreeScope.cpp?q=Treescope.cpp&sq=package:chromium&rcl=dd944882a245a5117b50cb417138d92f32d931d6&l=398
Also, since the ASAN buildbot is not done before the CL is merged, this wasn't
caught by trybots prior to committing.

The fix is just adding a bound check for target_ancestor_riterator here:
https://chromium-review.googlesource.com/c/chromium/src/+/880741/2..3/third_party/WebKit/Source/core/dom/TreeScope.cpp
I have confirmed by using ASAN locally that it is fixed now.
Before the fix, running the failing tests with ASAN build fails.


Bug:  759947 , 805039 
Change-Id: I9934af8131f285045e0eb80923f190b6d88cef7d
Reviewed-on: https://chromium-review.googlesource.com/880741
Commit-Queue: Rakina Zata Amni <rakina@chromium.org>
Reviewed-by: Hayato Ito <hayato@chromium.org>
Reviewed-by: Takayoshi Kochi <kochi@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#531839}
[add] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/external/wpt/shadow-dom/DocumentOrShadowRoot-prototype-elementFromPoint.html
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/fast/dom/elementsFromPoint/elementsFromPoint-shadowroot-expected.txt
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/fast/dom/elementsFromPoint/elementsFromPoint-shadowroot.html
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/fast/dom/shadow/elementfrompoint-expected.txt
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/LayoutTests/fast/dom/shadow/elementfrompoint.html
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/Source/core/dom/TreeScope.cpp
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/Source/core/dom/TreeScope.h
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/Source/devtools/front_end/devtools_compatibility.js
[modify] https://crrev.com/bb3517a95aa758711ac11927e8f8ebf44f6a272b/third_party/WebKit/Source/devtools/front_end/dom_extension/DOMExtension.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot