Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/350228ed5cd0e43c4ce2a5a04fe58eb86f5270e8 (Make PreviousWordPosition() utilitize TextSegments class).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Manual minimization: 

<style>
table::after{
  content:close-quote;
  float:right;
}
</style>
<table></table>foo
<script>
const foo = document.querySelector('table').nextSibling;
getSelection().collapse(foo, 0);
getSelection().modify('move', 'backward', 'word');
</script>

Check failed: CanBeInlineContentsContainer(root_block_flow). 0x1d2c82668108:LayoutTextFragment (anonymous) ""  block_flow=0x1d2c82624270:LayoutBlockFlow (floating)	<pseudo:after> root_block_flow=0x1d2c82658010:LayoutTableCell (anonymous)
#0 0x55de1c4dbd4f base::debug::StackTrace::StackTrace()
#1 0x55de1c43127b logging::LogMessage::~LogMessage()
#2 0x55de1e6596ad blink::(anonymous namespace)::ComputeInlineContentsAsBlockFlow()
#3 0x55de1e6591e8 blink::TextOffsetMapping::InlineContents::PreviousOf()
#4 0x55de1e659833 blink::TextOffsetMapping::BackwardRange::Iterator::operator++()
#5 0x55de1e658016 blink::TextSegments::FindBoundaryBackward()
#6 0x55de1e659fe7 blink::PreviousWordPosition()
#7 0x55de1e616d80 blink::SelectionModifier::ModifyMovingBackward()
#8 0x55de1e6171d0 blink::SelectionModifier::ComputeModifyPosition()
#9 0x55de1e61733f blink::SelectionModifier::Modify()

Layout tree at crash site:

LayoutView 0x2ec090404010              	#document
  LayoutBlockFlow 0x2ec090424010       	HTML
    LayoutBlockFlow 0x2ec090424140     	BODY
      LayoutTable 0x2ec090434010       	TABLE
        LayoutTableSection (anonymous) 0x2ec090444010
          LayoutTableRow (anonymous) 0x2ec090450010
            LayoutTableCell (anonymous) 0x2ec090458010
              LayoutBlockFlow (floating) 0x2ec090424270	<pseudo:after>
                LayoutQuote (anonymous) 0x2ec090468010
*                 LayoutTextFragment (anonymous) 0x2ec090468108 "" 
      LayoutBlockFlow (anonymous) 0x2ec0904243a0
        LayoutText 0x2ec09046c010      	#text "foo\n"


Analysis:

Due to floating table::after, we create anonymous LayoutTableSection, LayoutTableRow and LayoutTableCell as its anonymous wrappers inside the table. Then we crash when trying to use the anonymous LayoutTableCell, which is a block flow, as the current block flow for TextOffsetMapping.

We should skip such anonymous wrappers for pseudo elements.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/064f56b2085bc9f4f9d4dd513a78aceb3069b21b

commit 064f56b2085bc9f4f9d4dd513a78aceb3069b21b
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Mon Nov 05 06:03:52 2018

Make TextOffsetMapping skip anonymous block flow wrappers for pseudo elements

In some cases, we create anonymous block flow wrappers for float pseudo
elements. Such wrappers should be skipped by TextOffsetMapping.

Bug:  900906 
Change-Id: I7f9ce5906ed8b2daaff3b0c9310e639d932ae5d0
Reviewed-on: https://chromium-review.googlesource.com/c/1315701
Commit-Queue: Xiaocheng Hu <xiaochengh@chromium.org>
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#605262}
[modify] https://crrev.com/064f56b2085bc9f4f9d4dd513a78aceb3069b21b/third_party/blink/renderer/core/editing/text_offset_mapping.cc
[modify] https://crrev.com/064f56b2085bc9f4f9d4dd513a78aceb3069b21b/third_party/blink/renderer/core/editing/text_offset_mapping_test.cc

ClusterFuzz has detected this issue as fixed in range 605261:605262.

Detailed report: https://clusterfuzz.com/testcase?key=5341542645235712

Fuzzer: bj_broddelwerk
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::Fir
  blink::TextOffsetMapping::InlineContents::GetRange
  blink::TextOffsetMapping::TextOffsetMapping
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=604151:604156
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=605261:605262

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5341542645235712

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5341542645235712 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.