Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a38d0db155af75c10bee0902299ec180499775d1 (Move DOMTokenList:SerializeToString).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c335ebd64b7b4c8d89594e0986e494ccca2fe1c5

commit c335ebd64b7b4c8d89594e0986e494ccca2fe1c5
Author: Fergal Daly <fergal@chromium.org>
Date: Wed Apr 04 14:52:15 2018

Fix crash introduced in https://crrev.com/c/991693

The statement copied from the original code would be

size_t size = size();

but that does not compile since size now refers to the variable size_t size.

I mistakenly replaced size() with data_->size() forgetting that data_ could be nullptr.

The correct fix was to use this->size() which includes a check for nullptr.

Add a test that would have caught this.

Bug:  828740 
Change-Id: I57a396d968a1a8e947bb9fdb0b7d232494c6d5d5
Reviewed-on: https://chromium-review.googlesource.com/995592
Reviewed-by: Kent Tamura <tkent@chromium.org>
Commit-Queue: Fergal Daly <fergal@chromium.org>
Cr-Commit-Position: refs/heads/master@{#548056}
[modify] https://crrev.com/c335ebd64b7b4c8d89594e0986e494ccca2fe1c5/third_party/WebKit/Source/core/dom/SpaceSplitString.cpp
[modify] https://crrev.com/c335ebd64b7b4c8d89594e0986e494ccca2fe1c5/third_party/WebKit/Source/core/dom/SpaceSplitStringTest.cpp

 Issue 828817  has been merged into this issue.

 Issue 828822  has been merged into this issue.

Issue 828856 has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 548054:548057.

Detailed report: https://clusterfuzz.com/testcase?key=5222992632872960

Fuzzer: inferno_webbot
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000000001c
Crash State:
  blink::SpaceSplitString::Data::size
  blink::SpaceSplitString::SerializeToString
  blink::DOMTokenList::UpdateWithTokenSet
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=547655:547656
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=548054:548057

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5222992632872960

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5222992632872960 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.