Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/1324be868df000cb2e070199ce2d10cd0c5a2706 (Make NextWordPosition() to utilize TextOffsetMapping).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This crash occurs very frequently on mac platform and is likely preventing the fuzzer inferno_twister from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

I'm working now...

Here is minimal HTML to reproduce:

<script>
window.getSelection().modify('move', 'forward', 'word');
</script>

 Issue 832110  has been merged into this issue.

 Issue 832235  has been merged into this issue.

M67 Beta promotion is coming VERY soon. Pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.

Any update on this bug as this is M67 beta blocker?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dec40a582a3805fb28dfd67ba49fc2cdb28a1b6c

commit dec40a582a3805fb28dfd67ba49fc2cdb28a1b6c
Author: Yoshifumi Inoue <yosin@chromium.org>
Date: Tue Apr 17 04:30:18 2018

Revert "Make NextWordPosition() to utilize TextOffsetMapping"

This reverts commit 1324be868df000cb2e070199ce2d10cd0c5a2706 for M67/Beta

TextOffsetMapping is not ready for release.
It should support edge cases.

TBR=yosin@chromium.org

Bug:  832055 ,  832061 ,  832101 ,  832261 ,  832350 ,  832497 ,  832639 ,  833172 ,  833180 
Change-Id: Iac5f58716619a626650088a55109922daf1a4f3a
Reviewed-on: https://chromium-review.googlesource.com/1013445
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/branch-heads/3396@{#36}
Cr-Branched-From: 9ef2aa869bc7bc0c089e255d698cca6e47d6b038-refs/heads/master@{#550428}
[modify] https://crrev.com/dec40a582a3805fb28dfd67ba49fc2cdb28a1b6c/third_party/blink/renderer/core/editing/visible_units_word.cc
[modify] https://crrev.com/dec40a582a3805fb28dfd67ba49fc2cdb28a1b6c/third_party/blink/renderer/core/editing/visible_units_word_test.cc

Patch for M68: http://crrev.com/c/1014841

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e5c72bb72853a08b297c0e8832107c0a58802ab9

commit e5c72bb72853a08b297c0e8832107c0a58802ab9
Author: Yoshifumi Inoue <yosin@chromium.org>
Date: Wed Apr 18 00:08:27 2018

Add DCHECK() to NextWordPositionInternal() not to accept null-position

Because of |NextWordPositionInternal()| doesn't accept null-position, this
patch adds |DCHECK()| to catch such callers for ease of debugging.

Bug:  832061 
Change-Id: Id987553c939db8f061e58eca09d7ebcd946482c9
Reviewed-on: https://chromium-review.googlesource.com/1013642
Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551531}
[modify] https://crrev.com/e5c72bb72853a08b297c0e8832107c0a58802ab9/third_party/blink/renderer/core/editing/visible_units_word.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/95a072a8d1e7a08882039f599a913dbd564b7fc3

commit 95a072a8d1e7a08882039f599a913dbd564b7fc3
Author: Yoshifumi Inoue <yosin@chromium.org>
Date: Wed Apr 18 00:43:11 2018

Make SelectionModifier::Modify() to do nothing for empty selection

This patch makes |SelectionModifier::Modify()| to do nothing for empty selection
to avoid calling |NextWordPosition()| with null-position.

Note: |NextWordPosition()| doesn't accept null-position since the patch[1].

[1] http:/crrev.com/c/1004536 Make NextWordPosition() to utilize
TextOffsetMapping

Bug:  832061 
Change-Id: I534af079f068f709c9b48a408988cb413a520b86
Reviewed-on: https://chromium-review.googlesource.com/1014841
Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551539}
[modify] https://crrev.com/95a072a8d1e7a08882039f599a913dbd564b7fc3/third_party/blink/renderer/core/editing/selection_modifier.cc
[modify] https://crrev.com/95a072a8d1e7a08882039f599a913dbd564b7fc3/third_party/blink/renderer/core/editing/selection_modifier.h
[modify] https://crrev.com/95a072a8d1e7a08882039f599a913dbd564b7fc3/third_party/blink/renderer/core/editing/selection_modifier_test.cc

ClusterFuzz testcase 5334724680351744 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 551460:551464.

Detailed report: https://clusterfuzz.com/testcase?key=6126420515094528

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::TextOffsetMapping::ComputeContainigBlock
  blink::NextWordPosition
  blink::NextWordPosition
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=550102:550107
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=551460:551464

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6126420515094528

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.