Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/9177956013985e9f783b66aca45ddba78efee413 ([PE] Support float, block, table descendants for background-clip:text).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6819be079703da122ed7469cd8221fe9dc96391d

commit 6819be079703da122ed7469cd8221fe9dc96391d
Author: Xianzhu Wang <wangxianzhu@chromium.org>
Date: Fri Sep 07 05:51:32 2018

Revert "[PE] Support float, block, table descendants for background-clip:text"

This reverts commit 9177956013985e9f783b66aca45ddba78efee413.

Reason for revert: The layout object to paint text clip might not be
LayoutBlock.

Bug:  881644 

Original change's description:
> [PE] Support float, block, table descendants for background-clip:text
> 
> In https://chromium-review.googlesource.com/c/chromium/src/+/1197462
> we changed box_model_.Paint() to LineBoxListPainter so we no longer
> supported text clip for descendants other than inline contents.
> 
> This CL calls ToLayoutBlock(box_model_).PaintObject() to support text
> clip of other descendants, and still avoid the original double paint
> offset issue of box_model_.Paint().
> 
> Bug:  880825 
> Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel
> Change-Id: I2c4b0e23df11bf300c01f9c804fb7e7d129f3aa0
> Reviewed-on: https://chromium-review.googlesource.com/1211244
> Reviewed-by: Philip Rogers <pdr@chromium.org>
> Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#589314}

TBR=wangxianzhu@chromium.org,pdr@chromium.org

Change-Id: Id26f9f690884300fceb4bdaf3e4f3fb2aad4fc04
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  880825 
Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel
Reviewed-on: https://chromium-review.googlesource.com/1212483
Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#589443}
[delete] https://crrev.com/e7492cbb3c87c15a7a17b9d228a726a8e615131a/third_party/WebKit/LayoutTests/paint/background/background-clip-text-descendants-expected.html
[delete] https://crrev.com/e7492cbb3c87c15a7a17b9d228a726a8e615131a/third_party/WebKit/LayoutTests/paint/background/background-clip-text-descendants.html
[modify] https://crrev.com/6819be079703da122ed7469cd8221fe9dc96391d/third_party/blink/renderer/core/paint/box_model_object_painter.cc

ClusterFuzz has detected this issue as fixed in range 589442:589443.

Detailed report: https://clusterfuzz.com/testcase?key=5187314031263744

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x105920620000
Crash State:
  Bad-cast to const blink::LayoutBlock from blink::LayoutEmbeddedObject
  blink::BoxModelObjectPainter::PaintTextClipMask
  blink::BoxPainterBase::PaintFillLayerTextFillBox
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=589311:589315
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=589442:589443

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5187314031263744

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5187314031263744 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot