Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a9452b946b7b853ca56032f073bd7cc00d3a7db2 ([IncrementalShadowDOM] Make some of UpdateDistribuion call RecalcAssignments).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The CL is unlikey to be related, because changing UpdateDistribution to UpdateDistributionForFlatTreeTraversal is just renaming.

This looks one of editing's issues.

It seems flat tree is unstable by two animation frames from MARQUEE, which changes
left-top coordinate of child nodes, and requested animation frame, which does
"selectAll".

Hi flackr, could you take a look and assign it to appropriate person?

When I bisected this using bisect-builds.py it pointed at https://chromium.googlesource.com/chromium/src/+/822be90274eab3c047fea8cf2d7dd35cd5d0db49 being the first failure, and this still works if I manually disable the SlotInFlatTree feature. If it's an animations bug I apologize but from #4 I got that the flat tree was not correctly handling animation related changes to it? If it is an animations bug can you help explain what has gone wrong?

This has nothing to do with shadow dom distribution update. It crashes there because we pass in a nullptr from the editing code. The general issue is with adjusting a selection where the editability of the start and end points of a selection do not match, and there is a slot involved, most likely due to the slot being display:contents.

It all starts here:

https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/editing/selection_adjuster.cc?q=selection_adjuster.cc&sq=package:chromium&l=741

This is most likely related or the same as issues  827897  and  836934  which I have not been able to figure out what's wrong yet. This issue seems to have a much smaller repro though.

I've used several days on this, and the blocked bugs, without being able to figure out how the code is supposed to work.

I've made a simplified test (attached). What I've found is that we end up with a null end position in AdjustSelectionEndToAvoidCrossingEditingBoundaries and it seems to be because we are moving between flat tree and dom tree positions.

We are adjusting the end position at "B" here because the start position is not editable (a text node inserted between head and body, not shown here) and the end position is, because editability propagates down the dom tree, not flat tree:

BODY (editable)
	#text "A"
	DIV id="host" (editable)
		#shadow-root(Open)
			STYLE
				#text "slot {display:block}"
			DIV
				SLOT
*		#text "B"
	#text "\n"
	SCRIPT (editable)


display:contents does not seem to be an issue as setting display:block/inline on the slot still makes this code crash. The difference is that the slot is part of the flat tree. Without the slot in the flat tree, the position above the initial one with the "B" as an anchor is DIV as the anchor with offset 0 pointing at the "B". Converting that into a dom position uses the "B" and constructs a DOM position with the parent of "B" as an anchor which is DIV#host. With slots being part of the flat tree, the SLOT becomes and anchor for the "B" in the flat tree position. At some point in the while loop of AdjustSelectionEndToAvoidCrossingEditingBoundaries, we end up stopping with an empty position because the current position is not editable. Note that the position of the SLOT (with the parent DIV as anchor) is not editable.

It seems problematic mix flat and dom tree positions here. Note that we start out in this case with start and end points in the same shadow scope with different editability, but end up moving into the shadow tree where the "B" is slotted where we get lost somehow.

This is about as far as I get, I think.

yosin@ do you have any ideas how to proceed?

Missed the attachment.

Deleted: crash.html 266 bytes

crash.html 266 bytes View Download

Hit NOTREACHED() at selection_adjuster.cc(741)

    const PositionTemplate<Strategy>& end =
        AdjustSelectionEndToAvoidCrossingEditingBoundaries(
            range.EndPosition(), end_root, base_editable_ancestor);
    if (end.IsNull()) {
      // The selection crosses an Editing boundary.  This is a
      // programmer error in the editing code.  Happy debugging!
      NOTREACHED();
      return {};
    }

ClusterFuzz has detected this issue as fixed in range 559423:559424.

Detailed report: https://clusterfuzz.com/testcase?key=4949985603616768

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000011
Crash State:
  blink::Node::UpdateDistributionInternal
  UpdateDistributionForFlatTreeTraversal
  blink::ComparePositions
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=553489:553490
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=559423:559424

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4949985603616768

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4949985603616768 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.