Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Predator and CL could not provide any possible suspects.
Using the code search for the file, “paint_chunks_to_cc_layer.cc” assigning to owner concerned from GIT blame.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/b7e8c6eb13e6eb297747b9e394854408b3f29195

@wangxianzhu -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.
Thank You.

Also, cc'ing the reviewer of the suspecting commit.

Adjusted assignment to account for absent owners.

Reduced testcase:

<dl style="-webkit-column-width: 1px">
<dd style="display: -webkit-inline-box;" contenteditable="plaintext-only">
<embed type="JavaScript1.5">
<dl style="column-width: 63px; filter: brightness(0);"> </dl>
</embed>

Here's a reduced case without using deprecated flexible box (note lack of spaces is important)

<div id="outer" style="column-width: 10px"><div id="mid" style="display: flex;" contenteditable="plaintext-only">aa<div id="inner" style="column-width: 10px; filter: brightness(0);">b</div></div></div>

So, what happens here is that the document has a clip C0
- "outer" establishes a multicol flow and sets clip C1 for the first column
- "mid" draws some content with this C1 and E0 (no effect)
- inner draws with C1 and E1 (brightness effect)
- it also establishes a multicol flow and sets clip C2 for the first column
- this means we would normally apply the clip if C2 was parented to C1, which seems like a reasonable case.

However, the clip tree is constructed such that both C1 and C2 are parented to C0, meaning in order to process this we need to undo C1. However, C1 was followed by E1, which means we have to undo the effect first which is what causes the DCHECK.

I've found the spot that the parenting of C2 escapes to C0, and it's https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/paint/paint_property_tree_builder.cc?l=2218

Reading the comments surrounding that, it seems like the code is aware that it might be in a nested multicol and tries to match the logical top to find the right fragment. It fails to do so, so it falls through to this code, and we try to do our best to set a clip of the container's content clip, which happens to be C0 and we end up with a wrong clip tree construction.

The clip escapes because the location is outside of the logical width of the parent flow, it's covered by this bug: https://bugs.chromium.org/p/chromium/issues/detail?id=803649 and this comment:
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/paint/paint_property_tree_builder.cc?l=2110

In my estimation, this case is extremely rare where we have nexted multicol with filters that align just right to cause this situation. I'm going to pause investigating this and pass this to wangxianzhu since he's the expert in the code.

I'll update if I get back to this before wangxianzhu returns.

ClusterFuzz has detected this issue as fixed in range 580254:580262.

Detailed report: https://clusterfuzz.com/testcase?key=4670049554792448

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  state_stack_.size() && state_stack_.back().type == StateEntry::kClip. Error: Chu
  blink::ConversionContext::SwitchToClip
  blink::ConversionContext::SwitchToChunkState
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=543289:543291
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=580254:580262

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4670049554792448

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4670049554792448 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.