Likely due to https://chromium-review.googlesource.com/1014606

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/76ccc833b42a3f8fe7a772939759b26224461fa8

commit 76ccc833b42a3f8fe7a772939759b26224461fa8
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Fri Apr 20 20:07:18 2018

Fix bad-cast by using the correct type check function

To check whether an InlineBox is an InlineTextBox, the current function
to call is IsInlineTextBox() instead of IsText().

This patch changes one caller using IsText(), to fix a bad cast.

Bug:  834850 
Change-Id: I37acb6234ae60384138074d430a31dac9e6e11a7
Reviewed-on: https://chromium-review.googlesource.com/1019922
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Yoichi Osato <yoichio@chromium.org>
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#552443}
[modify] https://crrev.com/76ccc833b42a3f8fe7a772939759b26224461fa8/third_party/blink/renderer/core/editing/BUILD.gn
[modify] https://crrev.com/76ccc833b42a3f8fe7a772939759b26224461fa8/third_party/blink/renderer/core/editing/selection_modifier_character.cc
[add] https://crrev.com/76ccc833b42a3f8fe7a772939759b26224461fa8/third_party/blink/renderer/core/editing/selection_modifier_character_test.cc

ClusterFuzz testcase 4696826742308864 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 552429:552471.

Detailed report: https://clusterfuzz.com/testcase?key=5112359342047232

Fuzzer: inferno_twister_c
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x558219fe9fd0
Crash State:
  Bad-cast to blink::InlineTextBox from blink::InlineBox
  blink::ToInlineTextBox
  bool blink::IsAfterAtomicInlineOrLineBreak<blink::TraversalLeft<blink::EditingAlgorithm<blink::NodeTraversal> > >
  
Sanitizer: cfi (CFI)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=551369:551408
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=552429:552471

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5112359342047232

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot