Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/5d3212dab69f0b09168daaf14e3634e0a9d5ae62 (Stabilize LayoutSelection).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

#0 0x7fff0e46f7d9 in blink::FlatTreeTraversalNg::TraverseParent(class blink::Node const &,class blink::LayoutTreeBuilderTraversal::ParentDetails *) ./../../third_party/blink/renderer/core/dom/flat_tree_traversal_ng.cc:168:12
#1 0x7fff0cb7a649 in blink::TraversalAncestorsIterator<class blink::FlatTreeTraversal>::TraversalAncestorsIterator<class blink::FlatTreeTraversal>(class blink::Node const *) ./../../third_party/blink/renderer/core/dom/node_traversal.h:209:46
#2 0x7fff0ef2bf3c in blink::MarkSelected ./../../third_party/blink/renderer/core/editing/layout_selection.cc:409:3
#3 0x7fff0ef2fce8 in blink::LayoutSelection::Commit(void) ./../../third_party/blink/renderer/core/editing/layout_selection.cc:882:7
#4 0x7fff0ca94556 in blink::LayoutView::CommitPendingSelection(void) ./../../third_party/blink/renderer/core/layout/layout_view.cc:590:39
#5 0x7fff0e375d9e in blink::PaintLayerCompositor::UpdateIfNeededRecursiveInternal(enum blink::DocumentLifecycle::LifecycleState,struct blink::CompositingReasonsStats &) ./../../third_party/blink/renderer/core/paint/compositing/paint_layer_compositor.cc:238:16
#6 0x7fff0e3754d1 in blink::PaintLayerCompositor::UpdateIfNeededRecursive(enum blink::DocumentLifecycle::LifecycleState) ./../../third_party/blink/renderer/core/paint/compositing/paint_layer_compositor.cc:176:3
#7 0x7fff0ca4808b in blink::LocalFrameView::UpdateLifecyclePhasesInternal(enum blink::DocumentLifecycle::LifecycleState) ./../../third_party/blink/renderer/core/frame/local_frame_view.cc:2457:36
#8 0x7fff0e3415a5 in blink::PageAnimator::UpdateAllLifecyclePhases(class blink::LocalFrame &) ./../../third_party/blink/renderer/core/page/page_animator.cc:107:9
#9 0x7fff0cc5552c in blink::WebViewImpl::UpdateLifecycle

Maybe display: list-item;?

 Issue 866425  has been merged into this issue.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

 Issue 866745  has been merged into this issue.

I'm going to change first-letter-part selection impl by moving
SelectionStatus bit from LayoutObject to Node.
This would be fixed as a result.

This crash occurs very frequently on mac platform and is likely preventing the fuzzer marty_html_twiddler from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

Until frequency of the crash in wild is shown, it must not a blocker.

ClusterFuzz has detected this issue as fixed in range 580463:580464.

Detailed report: https://clusterfuzz.com/testcase?key=6378192475258880

Fuzzer: marty_html_twiddler
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::FlatTreeTraversalNg::TraverseParent
  blink::TraversalAncestorsIterator<class blink::FlatTreeTraversal>::TraversalAnce
  blink::MarkSelected
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=577113:577114
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=580463:580464

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6378192475258880

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.