Suspected CLs	Regression information is not available. The result is the blame information.

Author: schenney
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/cc38cba47e5e52d233aba85deb38338d04ea9a33
Time: Tue Oct 06 17:56:08 2015
The CL last changed line 279 of file DocumentLifecycle.cpp, which is stack frame 0.

Author: abarth@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6c73b42ad4481872808de04988c6dd16aeb0f95b
Time: Thu Apr 10 02:43:30 2014
The CL last changed line 1798 of file FrameView.cpp, which is stack frame 1.

Author: weinig
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/fe86369dbc0b7fc28f9b1a6b074d55e9f0df0941
Time: Thu Nov 09 03:55:58 2006
The CL last changed line 2989 of file LayoutObject.cpp, which is stack frame 2.

Author: tkent@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/dbe10680c40d3f56b10d6ee1d9168a9803721319
Time: Wed Sep 21 05:38:48 2011
The CL last changed line 837 of file LayoutObject.cpp, which is stack frame 3.

Author: kojii
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1
Time: Wed Mar 02 01:04:55 2016
The CL last changed line 777 of file LayoutObject.cpp, which is stack frame 4.

Author: kojii
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6e396c50a4630c1bd065aaf19244cf8c1fdcd6d1
Time: Wed Mar 02 01:04:55 2016
The CL last changed line 2001 of file LayoutObject.h, which is stack frame 5.

Author: pdr@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/48040ef0dba1a133e7d6fe66e13810bf73000250
Time: Thu Apr 02 03:34:11 2015
The CL last changed line 817 of file LayoutObject.h, which is stack frame 6.

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Layout

=================================================================================
None of the CLs from the Find it look related.

Suspecting: https://codereview.chromium.org/1774943003.

danakj@: Could you please take a look at this and confirm if this could be related to recent changes  Issue 582312 .

Thank you!

Please read CL descriptions when assigning bugs via blame.

pdr@ maybe you can have a look?

There's a nice minimial testcase for this one (attached). Leaving this unassigned but available for the paint team.

Deleted: crash.html 207 bytes

crash.html 207 bytes View Download

I'll look a bit more at this, but it appears to be a layout but not paint, right?

Remove legacy label cr-blink

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b1c6edeac6287b6ffe50cac44956b72f29bb76f5

commit b1c6edeac6287b6ffe50cac44956b72f29bb76f5
Author: chrishtr <chrishtr@chromium.org>
Date: Fri Mar 18 17:18:04 2016

Remove lifecycle rewinding in FrameView::scheduleRelayout

It was added in https://codereview.chromium.org/232013002 to find extra
lifecycle violations. However, right now it is used in various cases to
schedule relayout during layout because of change of containing block chain.
This triggers the assert incorrectly (or layout should fix this, but it is
considered ok for now).

BUG= 594489 

Review URL: https://codereview.chromium.org/1807363002

Cr-Commit-Position: refs/heads/master@{#381997}

[modify] https://crrev.com/b1c6edeac6287b6ffe50cac44956b72f29bb76f5/third_party/WebKit/Source/core/frame/FrameView.cpp
[modify] https://crrev.com/b1c6edeac6287b6ffe50cac44956b72f29bb76f5/third_party/WebKit/Source/web/tests/FrameThrottlingTest.cpp

ClusterFuzz has detected this issue as fixed in range 381909:382014.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5719999458574336

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: Cannot rewind document lifecycle from InLayoutSubtreeChange to
  blink::DocumentLifecycle::ensureStateAtMost
  blink::FrameView::scheduleRelayout
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=381909:382014

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv961HzXnNmTEGu-im39TbFImT5y4sAeHGvXg17RJUBHmLW60nzCwXCY3e8w0jH-RXjDparMibcOtbSjXpatwsrfh2JAMbahpaMq6XZEnCKdpg9JJTkMMSfGVwz8lqkyAbe8D65H7J65qBOtrpXu_jaZqEaJ0hQ
<body onload="__f_0();" style="-webkit-column-count:3; display:list-item;">
<script>
document.designMode='on';
document.execCommand('selectall');
document.designMode= 'off';
document.execCommand();
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot