Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/27c0ee55811678e4896cf0a07f8c4728bd7a58f2 (Enable support for display:contents.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

https://chromium-review.googlesource.com/c/chromium/src/+/895283

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/277af9187ad3574d0946f08de078e86971f54fee

commit 277af9187ad3574d0946f08de078e86971f54fee
Author: Rune Lillesveen <futhark@chromium.org>
Date: Wed Jan 31 22:22:09 2018

Do not skip out-of-flow boxes merging anonymous flex items.

A misread of the spec made us skip out-of-flow boxes merging anonymous
flex items. Only merge anonymous flex items which are truly box
siblings.

Adjusted the wpt tests accordingly. Fwiw, Firefox nightly now passes
all of wpt/css/css-flexbox/anonymous-*

Bug:  788379 ,  806151 
Change-Id: I124740e5d2150becdcc03ded26773a69607e0bbb
Reviewed-on: https://chromium-review.googlesource.com/895283
Reviewed-by: Christian Biesinger <cbiesinger@chromium.org>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533440}
[modify] https://crrev.com/277af9187ad3574d0946f08de078e86971f54fee/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/277af9187ad3574d0946f08de078e86971f54fee/third_party/WebKit/LayoutTests/external/wpt/css/css-flexbox/anonymous-flex-item-004.html
[modify] https://crrev.com/277af9187ad3574d0946f08de078e86971f54fee/third_party/WebKit/LayoutTests/external/wpt/css/css-flexbox/anonymous-flex-item-005.html
[modify] https://crrev.com/277af9187ad3574d0946f08de078e86971f54fee/third_party/WebKit/LayoutTests/external/wpt/css/css-flexbox/anonymous-flex-item-006.html
[add] https://crrev.com/277af9187ad3574d0946f08de078e86971f54fee/third_party/WebKit/LayoutTests/external/wpt/css/css-flexbox/anonymous-flex-item-split-ref.html
[modify] https://crrev.com/277af9187ad3574d0946f08de078e86971f54fee/third_party/WebKit/Source/core/layout/LayoutFlexibleBox.cpp

ClusterFuzz has detected this issue as fixed in range 533439:533446.

Detailed report: https://clusterfuzz.com/testcase?key=5736549850021888

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61100002e480
Crash State:
  blink::LayoutObject::DestroyAndCleanupAnonymousWrappers
  blink::Node::DetachLayoutTree
  blink::ContainerNode::DetachLayoutTree
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=526970:526971
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=533439:533446

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5736549850021888

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5736549850021888 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M65. Please go ahead and merge the CL to branch 3325 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4fc019b14d169e2675b86d801337d493aba8bd63

commit 4fc019b14d169e2675b86d801337d493aba8bd63
Author: Rune Lillesveen <futhark@chromium.org>
Date: Thu Feb 01 23:38:01 2018

Do not skip out-of-flow boxes merging anonymous flex items.

A misread of the spec made us skip out-of-flow boxes merging anonymous
flex items. Only merge anonymous flex items which are truly box
siblings.

Adjusted the wpt tests accordingly. Fwiw, Firefox nightly now passes
all of wpt/css/css-flexbox/anonymous-*

TBR=cbiesinger@chromium.org

Bug:  788379 ,  806151 
Change-Id: I124740e5d2150becdcc03ded26773a69607e0bbb
Reviewed-on: https://chromium-review.googlesource.com/895283
Reviewed-by: Christian Biesinger <cbiesinger@chromium.org>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#533440}(cherry picked from commit 277af9187ad3574d0946f08de078e86971f54fee)
Reviewed-on: https://chromium-review.googlesource.com/898413
Reviewed-by: Morten Stenshorne <mstensho@chromium.org>
Cr-Commit-Position: refs/branch-heads/3325@{#249}
Cr-Branched-From: bc084a8b5afa3744a74927344e304c02ae54189f-refs/heads/master@{#530369}
[modify] https://crrev.com/4fc019b14d169e2675b86d801337d493aba8bd63/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/4fc019b14d169e2675b86d801337d493aba8bd63/third_party/WebKit/LayoutTests/external/wpt/css/css-flexbox/anonymous-flex-item-004.html
[modify] https://crrev.com/4fc019b14d169e2675b86d801337d493aba8bd63/third_party/WebKit/LayoutTests/external/wpt/css/css-flexbox/anonymous-flex-item-005.html
[modify] https://crrev.com/4fc019b14d169e2675b86d801337d493aba8bd63/third_party/WebKit/LayoutTests/external/wpt/css/css-flexbox/anonymous-flex-item-006.html
[add] https://crrev.com/4fc019b14d169e2675b86d801337d493aba8bd63/third_party/WebKit/LayoutTests/external/wpt/css/css-flexbox/anonymous-flex-item-split-ref.html
[modify] https://crrev.com/4fc019b14d169e2675b86d801337d493aba8bd63/third_party/WebKit/Source/core/layout/LayoutFlexibleBox.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot