This may be the cause of issue 589773.

It hits an assertion:
ASSERTION FAILED: !extraRowSpanningHeight
../../third_party/WebKit/Source/core/layout/LayoutTableSection.cpp(663) : void blink::LayoutTableSection::distributeRowSpanHeightToRows(SpanningLayoutTableCells &)

If I ignore this, it hits:
ASSERTION FAILED: !object.frameView()->isInPerformLayout()
../../third_party/WebKit/Source/core/layout/DepthOrderedLayoutObjectList.cpp(15) : void blink::DepthOrderedLayoutObjectList::add(blink::LayoutObject &)

#2 0x7f3e1517452e blink::DepthOrderedLayoutObjectList::add()
#3 0x7f3e14f2db64 blink::FrameView::scheduleRelayoutOfSubtree()
#4 0x7f3e1518f782 blink::LayoutBlock::dirtyForLayoutFromPercentageHeightDescendants()
#5 0x7f3e151a130d blink::LayoutBlockFlow::layoutBlockChildren()
#6 0x7f3e1519c8e1 blink::LayoutBlockFlow::layoutBlockFlow()
#7 0x7f3e1519c290 blink::LayoutBlockFlow::layoutBlock()
#8 0x7f3e1518c429 blink::LayoutBlock::layout()
#9 0x7f3e1519da53 blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded()
#10 0x7f3e1519dbb9 blink::LayoutBlockFlow::layoutBlockChild()
#11 0x7f3e151a1662 blink::LayoutBlockFlow::layoutBlockChildren()
#12 0x7f3e1519c8e1 blink::LayoutBlockFlow::layoutBlockFlow()
#13 0x7f3e1519c290 blink::LayoutBlockFlow::layoutBlock()
#14 0x7f3e1518c429 blink::LayoutBlock::layout()
#15 0x7f3e152ddefe blink::LayoutSVGForeignObject::layout()
#16 0x7f3e152f7711 blink::SVGLayoutSupport::layoutChildren()
#17 0x7f3e152eff2b blink::LayoutSVGRoot::layout()
#18 0x7f3e14f28552 blink::FrameView::performLayout()

Now I'm not sure whether the issue is in subtree layout or in LayoutSVGForeignObject.

leviw@, fs@, any idea whether:
1. we should allow adding m_layoutSubtreeRootList during layout, or
2. LayoutSVGForeignObject should not dirty layout subtree root
?

In this particular case, dirtyForLayoutFromPercentageHeightDescendants shouldn't lead to a call to markContainerChainForLayout with scheduleRelayout = true. We're in layout and we're marking a descendant as needing layout with the intention of visiting it during this layout. We shouldn't be scheduling it to be laid out later.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1

commit 6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1
Author: kojii <kojii@chromium.org>
Date: Wed Mar 02 01:04:55 2016

Fix SubtreeLayoutScope not to schedule relayout

This patch fixes SubtreeLayoutScope::setNeedsLayout() and
setChildNeedsLayout() not to schedule relayout when they call
markContainerChainForLayout().

The signature of markContainerChainForLayout() allows to schedule
relayout even when SubtreeLayoutScope exists. To not allow scheduling
relayout while we're in layout, this patch changes the signature.

BUG= 590620 

Review URL: https://codereview.chromium.org/1755543002

Cr-Commit-Position: refs/heads/master@{#378639}

[add] https://crrev.com/6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-percent-height-assert-expected.txt
[add] https://crrev.com/6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-percent-height-assert.html
[modify] https://crrev.com/6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1/third_party/WebKit/Source/core/layout/LayoutObject.cpp
[modify] https://crrev.com/6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1/third_party/WebKit/Source/core/layout/LayoutObject.h

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1

commit 6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1
Author: kojii <kojii@chromium.org>
Date: Wed Mar 02 01:04:55 2016

ClusterFuzz has detected this issue as fixed in range 378578:378682.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5304655887728640

Fuzzer: attekett_surku_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6030000b96f0
Crash State:
  blink::FrameView::performLayout
  blink::FrameView::layout
  blink::FrameView::updateStyleAndLayoutIfNeededRecursive
  
Recommended Security Severity: Medium

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=378578:378682

Minimized Testcase (1.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv959W1srKEy4e9LArEkDmv5QHi0lDCmb1Sf0bnVeNY-XndezSz3cI35iywuuwTne_JKbxbQl-m1907HYrOXT_pdQTWgT8JdyeAhdMujVuV1fibHerpDVTf1yd3rqDfbzpiwrDDKaOoeHAbAzammHb3WRMk12-A

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Yay, the fix works. Thank you Koji!

Should this be merged to M50? Probably not 49, I guess.

Yeah, right, requesting.

Your change meets the bar and is auto-approved for M50 (branch: 2661)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1fb49bb47cbcb17f44198fc2a906928adf4dbaff

commit 1fb49bb47cbcb17f44198fc2a906928adf4dbaff
Author: Koji Ishii <kojii@chromium.org>
Date: Fri Mar 04 05:16:31 2016

Fix SubtreeLayoutScope not to schedule relayout

This patch fixes SubtreeLayoutScope::setNeedsLayout() and
setChildNeedsLayout() not to schedule relayout when they call
markContainerChainForLayout().

The signature of markContainerChainForLayout() allows to schedule
relayout even when SubtreeLayoutScope exists. To not allow scheduling
relayout while we're in layout, this patch changes the signature.

BUG= 590620 

Review URL: https://codereview.chromium.org/1755543002

Cr-Commit-Position: refs/heads/master@{#378639}
(cherry picked from commit 6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1)

Review URL: https://codereview.chromium.org/1768493002 .

Cr-Commit-Position: refs/branch-heads/2661@{#76}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[add] https://crrev.com/1fb49bb47cbcb17f44198fc2a906928adf4dbaff/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-percent-height-assert-expected.txt
[add] https://crrev.com/1fb49bb47cbcb17f44198fc2a906928adf4dbaff/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-percent-height-assert.html
[modify] https://crrev.com/1fb49bb47cbcb17f44198fc2a906928adf4dbaff/third_party/WebKit/Source/core/layout/LayoutObject.cpp
[modify] https://crrev.com/1fb49bb47cbcb17f44198fc2a906928adf4dbaff/third_party/WebKit/Source/core/layout/LayoutObject.h

> Probably not 49, I guess.

I think so too, adding the label to make sure people who can make the decision can have a look. Please feel free to reject if this does not meet the bar.

Merge approved for M49 (branch 2623). Please note that this will probably not be in next week's stable release (we already have a candidate build on its way). Based on comments (#15 and #11), seems like this is not essential in M49. So, if we have a refresh, this change will be in that cut.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/402601f6de1e6ff85d404bcbfd059573c36c0562

commit 402601f6de1e6ff85d404bcbfd059573c36c0562
Author: Koji Ishii <kojii@chromium.org>
Date: Sat Mar 05 15:25:34 2016

Fix SubtreeLayoutScope not to schedule relayout

This patch fixes SubtreeLayoutScope::setNeedsLayout() and
setChildNeedsLayout() not to schedule relayout when they call
markContainerChainForLayout().

The signature of markContainerChainForLayout() allows to schedule
relayout even when SubtreeLayoutScope exists. To not allow scheduling
relayout while we're in layout, this patch changes the signature.

BUG= 590620 

Review URL: https://codereview.chromium.org/1755543002

Cr-Commit-Position: refs/heads/master@{#378639}
(cherry picked from commit 6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1)

Review URL: https://codereview.chromium.org/1763343002 .

Cr-Commit-Position: refs/branch-heads/2623@{#586}
Cr-Branched-From: 92d77538a86529ca35f9220bd3cd512cbea1f086-refs/heads/master@{#369907}

[add] https://crrev.com/402601f6de1e6ff85d404bcbfd059573c36c0562/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-percent-height-assert-expected.txt
[add] https://crrev.com/402601f6de1e6ff85d404bcbfd059573c36c0562/third_party/WebKit/LayoutTests/fast/layout/subtree-layout-percent-height-assert.html
[modify] https://crrev.com/402601f6de1e6ff85d404bcbfd059573c36c0562/third_party/WebKit/Source/core/layout/LayoutObject.cpp
[modify] https://crrev.com/402601f6de1e6ff85d404bcbfd059573c36c0562/third_party/WebKit/Source/core/layout/LayoutObject.h

The following revision refers to this bug:
  https://chrome-internal.googlesource.com/bling/chromium.git/+/402601f6de1e6ff85d404bcbfd059573c36c0562

commit 402601f6de1e6ff85d404bcbfd059573c36c0562
Author: Koji Ishii <kojii@chromium.org>
Date: Sat Mar 05 15:25:34 2016

Stable RC in progress 49.0.2623.87 includes this changes. If all goes well with the build, this change will go to stable tomorrow.

Congrats Atte - $3500 for this bug ($3000 for the bug, +$500 ClusterFuzz bonus).

CVE-ID is CVE-2016-1644 and this should be listed in the release notes for the M-49 patch release today.

 Issue 588558  has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot