Unable to find suspect using CL and find it.
Assigning to the concern owner from CodeSearch using the text "LayoutObject.cpp",
Suspecting Commit# 0d0b68569b4cfc83150bfd3114c0c2d53d70b14c
Suspecting Review URL# https://codereview.chromium.org/1839613002

@nona -- Could you please look into the issue, pardon me if it has nothing to do with your changes and if possible could you please assign it to concern Dev.
Thank You.

Confirmed same crash on my local with release configuration.
On the other hand, assertion failed on the debug configuration with following stack trace.

ASSERTION FAILED: m_image
../../third_party/WebKit/Source/core/style/ContentData.h(96) : blink::ImageContentData::ImageContentData(blink::StyleImage *)
1   0x7fc11c7ce695
2   0x7fc11c7ce06b
3   0x7fc11c7d93c4 blink::ComputedStyle::setContent(blink::StyleImage*)
4   0x7fc11c0b8aa0
5   0x7fc11b976899 blink::StyleBuilder::applyProperty(blink::CSSPropertyID, blink::StyleResolverState&, blink::CSSValue*, bool, bool)
6   0x7fc11c0b5f17 blink::StyleBuilder::applyProperty(blink::CSSPropertyID, blink::StyleResolverState&, blink::CSSValue*)
7   0x7fc11c0cfd19
8   0x7fc11c0c4e4b
9   0x7fc11c0c0363 blink::StyleResolver::applyMatchedProperties(blink::StyleResolverState&, blink::MatchResult const&)
10  0x7fc11c0bf5e9 blink::StyleResolver::styleForElement(blink::Element*, blink::ComputedStyle const*, blink::StyleSharingBehavior, blink::RuleMatchingBehavior)
11  0x7fc11ba2593b blink::Document::inheritHtmlAndBodyElementStyles(blink::StyleRecalcChange)
12  0x7fc11ba267ad blink::Document::updateStyle()
13  0x7fc11ba2314e blink::Document::updateLayoutTree()
14  0x7fc11c5d87a5
15  0x7fc11c5ceb9c
16  0x7fc11c5ce7d2
17  0x7fc11c5cec28
18  0x7fc11c42a470
19  0x7fc11c419008 blink::DocumentLoader::endWriting(blink::DocumentWriter*)
20  0x7fc11c418c01 blink::DocumentLoader::finishedLoading(double)
21  0x7fc11c4189a0 blink::DocumentLoader::notifyFinished(blink::Resource*)
22  0x7fc11c2079fe blink::Resource::didAddClient(blink::ResourceClient*)
23  0x7fc11c2033d3 blink::RawResource::didAddClient(blink::ResourceClient*)
24  0x7fc11c207d44 blink::Resource::addClient(blink::ResourceClient*)
25  0x7fc11c41b417 blink::DocumentLoader::startLoadingMainResource()
26  0x7fc11c438f2e blink::FrameLoader::startLoad(blink::FrameLoadRequest&, blink::FrameLoadType, blink::NavigationPolicy)
27  0x7fc11c4345fc blink::FrameLoader::load(blink::FrameLoadRequest const&, blink::FrameLoadType, blink::HistoryItem*, blink::HistoryLoadType)
28  0x7fc11c912ecd
29  0x7fc126dd51fa blink::Image::setData(WTF::PassRefPtr<blink::SharedBuffer>, bool)
30  0x7fc11c1ed0af blink::ImageResource::updateImage(bool)
31  0x7fc11c1edb5f blink::ImageResource::finish()
Received signal 11 SEGV_MAPERR 0000fbadbeef
#0 0x7fc13445f5be base::debug::StackTrace::StackTrace()
#1 0x7fc13445f0ff base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7fc121e16340 <unknown>
#3 0x7fc11c7ce69c blink::ImageContentData::ImageContentData()
#4 0x7fc11c7ce06b blink::ContentData::create()
#5 0x7fc11c7d93c4 blink::ComputedStyle::setContent()
#6 0x7fc11c0b8aa0 blink::StyleBuilderFunctions::applyValueCSSPropertyContent()
#7 0x7fc11b976899 blink::StyleBuilder::applyProperty()
#8 0x7fc11c0b5f17 blink::StyleBuilder::applyProperty()
#9 0x7fc11c0cfd19 blink::StyleResolver::applyProperties<>()
#10 0x7fc11c0c4e4b blink::StyleResolver::applyMatchedProperties<>()
#11 0x7fc11c0c0363 blink::StyleResolver::applyMatchedProperties()
#12 0x7fc11c0bf5e9 blink::StyleResolver::styleForElement()
#13 0x7fc11ba2593b blink::Document::inheritHtmlAndBodyElementStyles()
#14 0x7fc11ba267ad blink::Document::updateStyle()
#15 0x7fc11ba2314e blink::Document::updateLayoutTree()
#16 0x7fc11c5d87a5 blink::XMLErrors::insertErrorMessageBlock()
#17 0x7fc11c5ceb9c blink::XMLDocumentParser::insertErrorMessageBlock()
#18 0x7fc11c5ce7d2 blink::XMLDocumentParser::end()
#19 0x7fc11c5cec28 blink::XMLDocumentParser::finish()
#20 0x7fc11c42a470 blink::DocumentWriter::end()
#21 0x7fc11c419008 blink::DocumentLoader::endWriting()
#22 0x7fc11c418c01 blink::DocumentLoader::finishedLoading()
#23 0x7fc11c4189a0 blink::DocumentLoader::notifyFinished()
#24 0x7fc11c2079fe blink::Resource::didAddClient()
#25 0x7fc11c2033d3 blink::RawResource::didAddClient()
#26 0x7fc11c207d44 blink::Resource::addClient()
#27 0x7fc11c41b417 blink::DocumentLoader::startLoadingMainResource()
#28 0x7fc11c438f2e blink::FrameLoader::startLoad()
#29 0x7fc11c4345fc blink::FrameLoader::load()
#30 0x7fc11c912ecd blink::SVGImage::dataChanged()
#31 0x7fc126dd51fa blink::Image::setData()
#32 0x7fc11c1ed0af blink::ImageResource::updateImage()
#33 0x7fc11c1edb5f blink::ImageResource::finish()
#34 0x7fc11c22adeb blink::ResourceLoader::didFinishLoading()
#35 0x7fc12d9e22f1 content::WebURLLoaderImpl::Context::OnCompletedRequest()
#36 0x7fc12d9e29d7 content::WebURLLoaderImpl::RequestPeerImpl::OnCompletedRequest()
#37 0x7fc12d984701 content::ResourceDispatcher::OnRequestComplete()
#38 0x7fc12d98cca2 _ZN4base20DispatchToMethodImplIPN7content18ResourceDispatcherEMS2_FviRK31ResourceMsg_RequestCompleteDataEJiS4_EJLm0ELm1EEEEvRKT_T0_RKSt5tupleIJDpT1_EENS_13IndexSequenceIJXspT2_EEEE
#39 0x7fc12d98cbe5 _ZN4base16DispatchToMethodIPN7content18ResourceDispatcherEMS2_FviRK31ResourceMsg_RequestCompleteDataEJiS4_EEEvRKT_T0_RKSt5tupleIJDpT1_EE
#40 0x7fc12d98cb8f _ZN3IPC16DispatchToMethodIN7content18ResourceDispatcherEMS2_FviRK31ResourceMsg_RequestCompleteDataEvSt5tupleIJiS3_EEEEvPT_T0_PT1_RKT2_
#41 0x7fc12d988d91 _ZN3IPC8MessageTI32ResourceMsg_RequestComplete_MetaSt5tupleIJi31ResourceMsg_RequestCompleteDataEEvE8DispatchIN7content18ResourceDispatcherES8_vMS8_FviRKS3_EEEbPKNS_7MessageEPT_PT0_PT1_T2_
#42 0x7fc12d981e5b content::ResourceDispatcher::DispatchMessage()
#43 0x7fc12d9811b9 content::ResourceDispatcher::OnMessageReceived()
#44 0x7fc12d98e9a5 content::ResourceSchedulingFilter::DispatchMessage()
#45 0x7fc12d98ec1a content::(anonymous namespace)::DispatchMessageTask::run()
#46 0x7fc11fb9d38e scheduler::WebTaskRunnerImpl::runTask()
#47 0x7fc11fb9e42a _ZN4base8internal15RunnableAdapterIPFvSt10unique_ptrIN5blink13WebTaskRunner4TaskESt14default_deleteIS5_EEEE3RunIJS8_EEEvDpOT_
#48 0x7fc11fb9e395 _ZN4base8internal12InvokeHelperILb0EvNS0_15RunnableAdapterIPFvSt10unique_ptrIN5blink13WebTaskRunner4TaskESt14default_deleteIS6_EEEEEE8MakeItSoIJS9_EEEvSC_DpOT_
#49 0x7fc11fb9e356 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS0_15RunnableAdapterIPFvSt10unique_ptrIN5blink13WebTaskRunner4TaskESt14default_deleteIS9_EEEEESD_JNS0_13PassedWrapperISC_EEEEENS0_12InvokeHelperILb0EvSF_EEFvvEE3RunEPNS0_13BindStateBaseE
#50 0x7fc13443f99e base::Callback<>::Run()
#51 0x7fc134464fae base::debug::TaskAnnotator::RunTask()
#52 0x7fc11fb754c4 scheduler::TaskQueueManager::ProcessTaskFromWorkQueue()
#53 0x7fc11fb73422 scheduler::TaskQueueManager::DoWork()
#54 0x7fc11fb7ad1e _ZN4base8internal15RunnableAdapterIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEE3RunIJRKS4_RKbEEEvPS3_DpOT_
#55 0x7fc11fb7ac1a _ZN4base8internal12InvokeHelperILb1EvNS0_15RunnableAdapterIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEEEE8MakeItSoINS_7WeakPtrIS4_EEJRKS5_RKbEEEvS8_T_DpOT0_
#56 0x7fc11fb7ab98 _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0ELm1ELm2EEEENS0_9BindStateINS0_15RunnableAdapterIMN9scheduler16TaskQueueManagerEFvNS_9TimeTicksEbEEEFvPS7_S8_bEJNS_7WeakPtrIS7_EERS8_bEEENS0_12InvokeHelperILb1EvSB_EEFvvEE3RunEPNS0_13BindStateBaseE
#57 0x7fc13443f99e base::Callback<>::Run()
#58 0x7fc134464fae base::debug::TaskAnnotator::RunTask()
#59 0x7fc1344dcc6c base::MessageLoop::RunTask()
#60 0x7fc1344dcf08 base::MessageLoop::DeferOrRunPendingTask()
#61 0x7fc1344dd0d2 base::MessageLoop::DoWork()
  r8: 0000000000000001  r9: 00007fc12020be00 r10: 00007fc120477be0 r11: 00007fc120241870
 r12: 00007fc13503a2bc r13: 00007ffd1116fc70 r14: 0000000000000000 r15: 0000000000000000
  di: 0000264f3bd4c0b0  si: 00000000fbadbeef  bp: 00007ffd11169270  bx: 48b0bdb8f0b66500
  dx: 0000264f3c260e60  ax: 48b0bdb8f0b66500  cx: 00000000fbadbeef  sp: 00007ffd11169250
  ip: 00007fc11c7ce69c efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000006
 trp: 000000000000000e msk: 0000000000000000 cr2: 00000000fbadbeef
[end of stack trace]

And assertion failure also happens on a4144158053ed7c97a04e5a21f491548e06f6d7d which is the oldest revision in above range.


I'm sorry I have no idea for this crash now.

Forwarding to alancutter@ who is the author of this assertion by https://codereview.chromium.org/1607733004

The m_image assertion was recently fixed by https://codereview.chromium.org/1865603004.
I was not able to repro the blink::LayoutObject::willBeDestroyed crash locally using ToT.

@nona are you still able to repro this crash?

@alancutter, yeah I verified the crash no longer happens both on Debug/Release build.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5785986520317952

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000003
Crash State:
  blink::LayoutObject::willBeDestroyed
  blink::LayoutText::willBeDestroyed
  blink::LayoutObject::destroy
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=384588:384595

Minimized Testcase (4.13 Kb): https://cluster-fuzz.appspot.com/download/AMIfv947BkDxggyjAK-BOd-nwR83FpD6EnDDSNphM1zGx7LPeZ9NdbaY0gQB2c_ton96PDLbPchgoRj-TPCMKgQNOtsVj2EB3OOLAtB2Yn9GheDk_7SDy2qzLbFhXgdnPAt0W5egUmpWtAaz8gDkExTW_oW8_PHu4A

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot