Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/a9452b946b7b853ca56032f073bd7cc00d3a7db2 ([IncrementalShadowDOM] Make some of UpdateDistribuion call RecalcAssignments).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

The repro case crashes even before the a9452b946b7b853ca56032f073bd7cc00d3a7db2.

I got the following stack trace:

Received signal 6
#0 0x7f9cc88868fc base::debug::StackTrace::StackTrace()
#1 0x7f9cc88863d1 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f9cc89020c0 <unknown>
#3 0x7f9cbec7bfcf gsignal
#4 0x7f9cbec7d3fa abort
#5 0x7f9cc88851d5 base::debug::BreakDebugger()
#6 0x7f9cc87c8908 logging::LogMessage::~LogMessage()
#7 0x7f9cc286e21c blink::EditingBoundaryAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries<>()
#8 0x7f9cc286b62d blink::SelectionAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries()
#9 0x7f9cc28abd7f blink::VisibleSelectionTemplate<>::CreateWithGranularity()
#10 0x7f9cc28abaf0 blink::CreateVisibleSelection()
#11 0x7f9cc28747d4 blink::SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded()
#12 0x7f9cc2874475 blink::SelectionEditor::ComputeVisibleSelectionInFlatTree()
#13 0x7f9cc2825e3e blink::FrameSelection::SelectionHasFocus()
#14 0x7f9cc28260d5 blink::FrameSelection::IsHidden()
#15 0x7f9cc284a069 blink::LayoutSelection::Commit()
#16 0x7f9cc2e3d941 blink::LayoutView::CommitPendingSelection()
#17 0x7f9cc3037a39 blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal()
#18 0x7f9cc3037535 blink::PaintLayerCompositor::UpdateIfNeededRecursive()
#19 0x7f9cc29dd6b6 blink::LocalFrameView::UpdateLifecyclePhasesInternal()
#20 0x7f9cc29dd267 blink::LocalFrameView::UpdateAllLifecyclePhases()
#21 0x7f9cc2fd4f8e blink::PageAnimator::UpdateAllLifecyclePhases()
#22 0x7f9cc2925188 blink::WebViewImpl::UpdateLifecycle()
#23 0x7f9cc2a44088 blink::WebViewFrameWidget::UpdateLifecycle()
#24 0x7f9cc7dafa42 content::RenderWidget::UpdateVisualState()
#25 0x7f9cc65317f5 cc::ProxyMain::BeginMainFrame()


yosin@, yoichio@, could you take a look?

Lower to P3 since it is caused by unusual HTML.

ClusterFuzz has detected this issue as fixed in range 575974:575975.

Detailed report: https://clusterfuzz.com/testcase?key=6220949888958464

Fuzzer: attekett_dom_fuzzer
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::ComparePositions
  blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > bli
  blink::SelectionAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=553489:553490
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=575974:575975

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6220949888958464

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6220949888958464 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.