Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/1324be868df000cb2e070199ce2d10cd0c5a2706 (Make NextWordPosition() to utilize TextOffsetMapping).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hi xiaochengh@ - mind taking a look while Tokyo base folk are out?

*** Bulk Edit ***
M67 Stable promotion is coming soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. 

If fix is already merged to M67 and nothing else is pending, pls mark the bug as fixed. Thank you.

Assigning back to yosin@ for the same reason as in  issue 838588 .

Besides, the culprit CL is already reverted in M67: crrev.com/c/1013445, so it (together with all issues related to TextOffsetMapping) shouldn't be an RBS for M67.

I'm wondering how ClusterFuzz could possibly find impact in 67.0.3396.30...

*** Bulk Edit ***
M67 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. 

If fix is already merged to M67 and nothing else is pending, pls mark the bug as fixed. Thank you.

I'm working on M68 branch now.

http://crrev.com/c/1018923 should fix this issue.

ClusterFuzz has detected this issue as fixed in range 557408:557410.

Detailed report: https://clusterfuzz.com/testcase?key=6489807044476928

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::SlotAssignment::Trace
  blink::ScriptWrappable::Wrap
  blink::TextOffsetMapping::TextOffsetMapping
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=550102:550107
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=557408:557410

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6489807044476928

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6489807044476928 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot