Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/fadf05485d1a5703562fc7639f5b099875f7fe18 (More robust capturing <form>s that are taken out of the DOM.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

https://chromium-review.googlesource.com/c/chromium/src/+/1128973

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5ce8880baa741c8e31cfd47ede17490128590488

commit 5ce8880baa741c8e31cfd47ede17490128590488
Author: Dominic Battre <battre@chromium.org>
Date: Mon Jul 09 21:38:35 2018

Fix DCHECK in WebFormElementObserverImpl

The WebFormElementObserverImpl made an incorrect but also totally unnecessary
cast of a Node to an HTMLElement. This edge case was discovered by the fuzzer
where a form was inside an <svg> element, whose style attribute was changed,
but which could not be casted to HTMLElement.

Bug:  861571 
Change-Id: I62c8238e25ef39e662dc154a1f2bd772667ec52f
Reviewed-on: https://chromium-review.googlesource.com/1128973
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Dominic Battré <battre@chromium.org>
Cr-Commit-Position: refs/heads/master@{#573458}
[modify] https://crrev.com/5ce8880baa741c8e31cfd47ede17490128590488/third_party/blink/renderer/core/exported/web_form_element_observer_impl.cc

ClusterFuzz has detected this issue as fixed in range 573455:573464.

Detailed report: https://clusterfuzz.com/testcase?key=4762141815734272

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Security DCHECK failure
Crash Address: 
Crash State:
  !node || (node->IsHTMLElement()) in html_element.h
  blink::WebFormElementObserverImpl::ObserverCallback::Deliver
  blink::MutationObserver::Deliver
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=534032:534037
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=573455:573464

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4762141815734272

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4762141815734272 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This should be a very save merge request.

This bug requires manual review: We are only 13 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Merge approved - branch:3440

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dfedb6c16fd15322203a0f5c9d699f910bea2d5f

commit dfedb6c16fd15322203a0f5c9d699f910bea2d5f
Author: Dominic Battre <battre@chromium.org>
Date: Tue Jul 10 20:02:43 2018

Fix DCHECK in WebFormElementObserverImpl

The WebFormElementObserverImpl made an incorrect but also totally unnecessary
cast of a Node to an HTMLElement. This edge case was discovered by the fuzzer
where a form was inside an <svg> element, whose style attribute was changed,
but which could not be casted to HTMLElement.

TBR=battre@chromium.org

(cherry picked from commit 5ce8880baa741c8e31cfd47ede17490128590488)

Bug:  861571 
Change-Id: I62c8238e25ef39e662dc154a1f2bd772667ec52f
Reviewed-on: https://chromium-review.googlesource.com/1128973
Reviewed-by: Jochen Eisinger <jochen@chromium.org>
Commit-Queue: Dominic Battré <battre@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#573458}
Reviewed-on: https://chromium-review.googlesource.com/1131939
Reviewed-by: Dominic Battré <battre@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#639}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/dfedb6c16fd15322203a0f5c9d699f910bea2d5f/third_party/blink/renderer/core/exported/web_form_element_observer_impl.cc

ifratric@ can you please comment on whether this needs to be merged to M67 as well?

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot