Suspected CLs	Regression information is not available. The result is the blame information.

Author: eric@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6733eada55d78af85b14dc76934e5cdb03a05681
Time: Mon Jul 09 23:48:14 2012
The CL last changed line 364 of file HTMLTreeBuilder.cpp, which is stack frame 0.

Author: keishi
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/e052139d295bf332a88308c833bb7a31546e1778
Time: Mon Apr 11 09:48:59 2016
The CL last changed line 279 of file HTMLDocumentParser.cpp, which is stack frame 1.

Author: eric@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6733eada55d78af85b14dc76934e5cdb03a05681
Time: Mon Jul 09 23:48:14 2012
The CL last changed line 292 of file HTMLDocumentParser.cpp, which is stack frame 2.

Author: kouhei@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/cb63eab7f1614dabf09dbd2d5d4ceece838f8e3b
Time: Wed Oct 15 08:49:49 2014
The CL last changed line 601 of file HTMLDocumentParser.cpp, which is stack frame 3.

Author: kouhei@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/bba97717686b70761657adf44091f63a395b375b
Time: Wed Oct 15 07:45:30 2014
The CL last changed line 257 of file HTMLDocumentParser.cpp, which is stack frame 4.

Author: kouhei@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/bba97717686b70761657adf44091f63a395b375b
Time: Wed Oct 15 07:45:30 2014
The CL last changed line 961 of file HTMLDocumentParser.cpp, which is stack frame 5.

Author: eric@webkit.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6057721a8efe749aeda59cba09eee9b4ca3519aa
Time: Sat May 29 16:12:07 2010
The CL last changed line 1003 of file HTMLDocumentParser.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>HTML

keishi@: Could you please take a look at this and confirm if this could be related to change from stack frame 1.

Thank you!

This looks like a dup of one I'm working on.

ClusterFuzz has detected this issue as fixed in range 402095:402107.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5029998846541824

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  m_scriptToProcess
  blink::HTMLTreeBuilder::takeScriptToProcess
  blink::HTMLDocumentParser::runScriptsForPausedTreeBuilder
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=402095:402107

Minimized Testcase (0.48 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9765648feTcigxe-DoG6bKoMvyCn55dTjTGRLGRwigGir2bx3v96C_QZGwJHwPUGHH3X-vziF7ZC2bXXfr78yMwBtZKUhaMShWpGdfkw_abXzH-Zgq3h-Th0KPFVve0iDKB1GkJV97NeNXTJmAIGvnVdBQ3bg?testcase_id=5029998846541824
<style>
@import url(N#Va_=l|3M&amp;</style>
<script>
function eventhandler8() {
 /*Document*/ var var00102 = document;  //line 111
 /*Node*/ var var00103 = var00102;  //line 112
 /*HTMLDocument*/ var var00267 = document;  //line 303
 /*XMLSerializer*/ var var00268 = new XMLSerializer();  //line 304
 /*DOMString*/ var var00269 = var00268.serializeToString(var00103);  //line 305
 var00267.writeln(var00269);  //line 306
}
</script>
<style onload="eventhandler8()"></style>
<iframe>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot