dsinclair@, could you please help to find an owner for that?

eae@ to triage for layout-dev

r384897 is the only change in the regression range that stands out and it does change lifecycle management slightly.

https://codereview.chromium.org/1858583002/

I don't think https://codereview.chromium.org/1858583002/ is related since it just removed dead code.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5612673827340288

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x26c7ef97
Crash State:
  blink::LayoutObject::isAnonymousBlock
  blink::LayoutListItem::updateMarkerLocation
  blink::LayoutListItem::subtreeDidChange
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=384870:384903

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95rxtOKfp0y9z2e7rCKS1dRs8iTx-o0mg9KdJ88CTT8m6sNMGQDw2FI9RrVblYr4nNMAPuHISFGea5KNpb97Cbc-C9P2PH6CrYRj3WDWT1SxzdXIGfUVGDJdDgwy6IruiOvDyZZzeMuumVnbB4dJO0eIkHWfyLw66xTxIIdG5ZJl11w3Iw


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

M50 Stable is launching very soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged ASAP. All changes MUST be merged into the release branch by 5pm on Apr-8 to make into the desktop Stable final build cut. Thanks!

+ timwillis@ [Security TPM]

May be I was wrong when added M-50 label, feel free to change it to M-51 if needed.

timwillis@, could you please confirm whether this should be M-50 OR M-51 Stable blocker. Thank you.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5612673827340288

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x26c7ef97
Crash State:
  blink::LayoutObject::isAnonymousBlock
  blink::LayoutListItem::updateMarkerLocation
  blink::LayoutListItem::subtreeDidChange
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=384870:384903

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95rxtOKfp0y9z2e7rCKS1dRs8iTx-o0mg9KdJ88CTT8m6sNMGQDw2FI9RrVblYr4nNMAPuHISFGea5KNpb97Cbc-C9P2PH6CrYRj3WDWT1SxzdXIGfUVGDJdDgwy6IruiOvDyZZzeMuumVnbB4dJO0eIkHWfyLw66xTxIIdG5ZJl11w3Iw


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

redid testing - seems like crash was flaky and can't reproduce. Marking as Fixed with no merge required

Cool, thanks Tim!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot