Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/b6ec484f7d3153135b9640117a89252ff45829b8 (Launch Incremental Shadow DOM).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

yosin@,

I've seen not-a-few similar crashes reported by ClusterFuzz in this week.
They use "SelectAll" and the stack trace always shows blink::ComparePositions.

For any of them I can repro the crash *without* IncrementalShadowDOM.

ClusterFuzz believes the CL of Incremental Shadow DOM is the cause for unknown reasons. Maybe the stacktrace would be changed.

Could you work on this?

Minimal reproduce HTML:

<!doctype html>
<body contenteditable>
<details>
<summary>abc</summary>
</details>
</body>
<script>
document.execCommand('selectAll'); 
</script>

Hit NOTREACHED() at L741 in AdjustSelectionToAvoidCrossingEditingBoundaries()

# Stack trace
EditingBoundaryAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(const blink::EphemeralRangeTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & range, const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & base) Line 742	C++
EditingBoundaryAdjuster::AdjustSelection<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & shadow_adjusted_selection) Line 572	C++
SelectionAdjuster::AdjustSelectionToAvoidCrossingEditingBoundaries(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection) Line 766	C++
ComputeVisibleSelection<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & passed_selection, blink::TextGranularity granularity) Line 254	C++
VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::CreateWithGranularity(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection, blink::TextGranularity granularity) Line 85	C++
VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::Create(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection) Line 61	C++
CreateVisibleSelection(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection) Line 70	C++
SelectionEditor::UpdateCachedVisibleSelectionInFlatTreeIfNeeded() Line 402	C++
SelectionEditor::ComputeVisibleSelectionInFlatTree() Line 87	C++
FrameSelection::ComputeVisibleSelectionInFlatTree() Line 127	C++
FrameSelection::SelectionHasFocus() Line 410	C++
FrameSelection::IsHidden() Line 451	C++
CalcSelectionRangeAndSetSelectionState(const blink::FrameSelection & frame_selection) Line 753	C++
LayoutSelection::Commit() Line 824	C++
FrameSelection::CommitAppearanceIfNeeded() Line 860	C++
LayoutView::CommitPendingSelection() Line 593	C++
PaintLayerCompositor::UpdateIfNeededRecursiveInternal(blink::DocumentLifecycle::LifecycleState target_state, blink::CompositingReasonsStats & compositing_reasons_stats) Line 243	C++
PaintLayerCompositor::UpdateIfNeededRecursive(blink::DocumentLifecycle::LifecycleState target_state) Line 180	C++
LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState target_state) Line 3031	C++
LocalFrameView::UpdateAllLifecyclePhases() Line 2787	C++
PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame & root_frame) Line 105	C++
PageWidgetDelegate::UpdateLifecycle(blink::Page & page, blink::LocalFrame & root, blink::WebWidget::LifecycleUpdate requested_update) Line 71	C++
WebViewImpl::UpdateLifecycle(blink::WebWidget::LifecycleUpdate requested_update) Line 1818	C++
WebViewFrameWidget::UpdateLifecycle(blink::WebWidget::LifecycleUpdate requested_update) Line 67	C++
WebWidget::UpdateAllLifecyclePhases() Line 93	C++
content_shell.exe!content::BlinkTestRunner::TestFinished() Line 500	C++
test_runner.dll!test_runner::TestRunner::WorkQueue::ProcessWorkSoon() Line 1535	C++
test_runner.dll!test_runner::TestRunner::LocationChangeDone() Line 2752	C++
test_runner.dll!test_runner::TestRunner::tryToClearTopLoadingFrame(blink::WebFrame * frame) Line 1932	C++
test_runner.dll!test_runner::WebFrameTestClient::DidStopLoading() Line 500	C++
content_shell.exe!test_runner::WebFrameTestProxy<content::RenderFrameImpl,content::RenderFrameImpl::CreateParams>::DidStopLoading() Line 163	C++
LocalFrameClientImpl::DidStopLoading() Line 631	C++
ProgressTracker::ProgressCompleted() Line 125	C++
FrameLoader::DidFinishNavigation() Line 476	C++
Document::CheckCompleted() Line 3397	C++
FrameLoader::FinishedParsing() Line 447	C++
Document::FinishedParsing() Line 5867	C++
HTMLConstructionSite::FinishedParsing() Line 621	C++
HTMLTreeBuilder::Finished() Line 2750	C++
HTMLDocumentParser::end() Line 893	C++
HTMLDocumentParser::AttemptToRunDeferredScriptsAndEnd() Line 906	C++
HTMLDocumentParser::PrepareToStopParsing() Line 239	C++
HTMLDocumentParser::ProcessTokenizedChunkFromBackgroundParser(std::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk,std::default_delete<blink::HTMLDocumentParser::TokenizedChunk> > pop_chunk) Line 544	C++
HTMLDocumentParser::PumpPendingSpeculations() Line 590	C++
HTMLDocumentParser::ResumeParsingAfterYield() Line 267	C++
HTMLParserScheduler::ContinueParsing() Line 150	C++

Selection: DIV@0 in #shadow-root, "abc"@3
- HighestEditableRootOf(DIV@0) = null and 
- HighestEditableRoot("abc"@3) = BODY.

DOM tree:
<body contenteditable>
  <details>
   #shadow-root (user-agent)
     <div pseudo="-webkit-details-marker" id="details-marker"></div>
     <slot name="user-agent-default-slot">
       "abc"
     </slot>

yoichio@, could you take look this?

Let's make LayoutSelection::Commit() not to crash by getting rid of call
FrameSelection::IsHidden() in CalcSelectionRangeAndSetSelectionState() by
checking focus element during selection range traversal.

ClusterFuzz has detected this issue as fixed in range 575974:575975.

Detailed report: https://clusterfuzz.com/testcase?key=5764351647285248

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000011
Crash State:
  blink::Node::MayContainLegacyNodeTreeWhereDistributionShouldBeSupported
  blink::Node::UpdateDistributionInternal
  UpdateDistributionForFlatTreeTraversal
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=559423:559424
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=575974:575975

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5764351647285248

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5764351647285248 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.