Suspected CLs: Regression information is not available. The result is the blame information.
===========================
Author: tkent
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/73a40db1b07fbd9b67286a6cbda1491418fec3d9
Time: Tue Feb 09 08:33:50 2016
The CL last changed line 2461 of file Element.cpp, which is stack frame 0.

Author: esprehn@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0e653c030f36e59bc8230ba0beac577c73030b22
Time: Sat May 03 00:02:08 2014
The CL last changed line 2357 of file Element.cpp, which is stack frame 1.
---------------------------------
Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-DOM

From the above suspect list assigning to tkent@, for the recent changes made to 'Element.cpp', which is stack frame 0.
tkent@ : Could you please take a look into this if its related to your change, else feel free to re-assign to an appropriate dev person.

Thanks in Advance..!

I'll take a look at this.  Anyway, this doesn't look Pri-1.

This is due to non-empty m_layerUpdateSVGFilterElements, which makes Document::needsFullLayoutTreeUpdate() true.
Looks a SVG area issue.

Note that replacing document().updateLayoutIngorePendingStylesheetsForNode() in Element::focus() with document().updateLayoutTreeForNode(this) fixes this assertion failure.

 Issue 605746  has been merged into this issue.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Is's not fixed.

ClusterFuzz has detected this issue as fixed in range 431234:431235.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4526197584691200

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !document().isActive() || !document().needsLayoutTreeUpdateForNode(*this)
  blink::Element::isFocusable
  blink::Element::focus
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=374251:374424
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=431234:431235

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97DeBueqxHNnVEpVAxPrFQMbrhmjMvrLETa1Q44ZxFWkEsx7rFI5PgnoXh1qfxa8aOAylw-nOmQ9AOc90JGEZYhL12jzTiF7Y5x0fmERu-346SMHGxMXFAcAfgojJ-32dD7AFJ0JJU2TGywJ7nm2F_sNBaqhA?testcase_id=4526197584691200
<head>
  <style>
   #target {
    width: 100px;
    -webkit-filter: url(#emptyMerge);
</style>
  onload="__f_106();"<div id="target">
  <svg height="0">
   <filter id="emptyMerge">
<tspan>
   <script>
		var __v_0 = document.querySelector("tspan");
		__v_0.focus();
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

r431235 (c5de692783f306d25186d46039f8541c9c4ebbe0) got rid of m_layerUpdateSVGFilterElements, so if it sticks (this time) it may well have fixed this issue.

Awesome! Clusterfuzz seems to agree, so I'll mark this as fixed.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot