Found the culprit using the Code Search for the file - LayoutBlockFlow.cpp

Suspecting Commit - 43862543cb7622a39c6fbc7895ffe03ba5337f54

Review URL: https://codereview.chromium.org/1933153002

@mstensho: Could you please look into the issue, and if it has nothing to do with your changes and if possible please do assign it to the concerned owner.

Thank you.

I get a stack overflow in the node attachment machinery instead. So I guess this strongly suggests that the DOM tree is just too deep for the engine to handle.

#0  0x00000000025bd14a in blink::Node::treeScope (this=0x0) at ../../third_party/WebKit/Source/core/dom/Node.h:461
#1  0x00000000025bd115 in blink::Node::document (this=0x2f73ab90f780) at ../../third_party/WebKit/Source/core/dom/Node.h:457
#2  0x00000000044528e0 in blink::InspectorInstrumentation::instrumentingAgentsFor (node=0x2f73ab90f780) at ../../third_party/WebKit/Source/core/inspector/InspectorInstrumentation.h:140
#3  0x0000000004451068 in blink::InspectorInstrumentation::forcePseudoState (element=0x2f73ab90f780, pseudoState=blink::CSSSelector::PseudoFocus) at gen/blink/core/InspectorInstrumentationImpl.cpp:1143
#4  0x000000000367ea2a in blink::SelectorChecker::matchesFocusPseudoClass (element=...) at ../../third_party/WebKit/Source/core/css/SelectorChecker.cpp:1139
#5  0x000000000367d2fc in blink::SelectorChecker::checkPseudoClass (this=0x7fffd540d6b8, context=..., result=...) at ../../third_party/WebKit/Source/core/css/SelectorChecker.cpp:796
#6  0x000000000367b0c1 in blink::SelectorChecker::checkOne (this=0x7fffd540d6b8, context=..., result=...) at ../../third_party/WebKit/Source/core/css/SelectorChecker.cpp:581
#7  0x000000000367ac96 in blink::SelectorChecker::matchSelector (this=0x7fffd540d6b8, context=..., result=...) at ../../third_party/WebKit/Source/core/css/SelectorChecker.cpp:192
#8  0x000000000367be3f in blink::SelectorChecker::matchForSubSelector (this=0x7fffd540d6b8, context=..., result=...) at ../../third_party/WebKit/Source/core/css/SelectorChecker.cpp:240
#9  0x000000000367adb7 in blink::SelectorChecker::matchSelector (this=0x7fffd540d6b8, context=..., result=...) at ../../third_party/WebKit/Source/core/css/SelectorChecker.cpp:217
#10 0x000000000316999d in blink::SelectorChecker::match (this=0x7fffd540d6b8, context=..., result=...) at ../../third_party/WebKit/Source/core/css/SelectorChecker.h:116
#11 0x0000000003bd4d2d in blink::ElementRuleCollector::collectMatchingRulesForList<blink::HeapTerminatedArray<blink::RuleData> > (this=0x7fffd540da68, rules=0xa0533003440, cascadeOrder=0, matchRequest=...) at ../../third_party/WebKit/Source/core/css/ElementRuleCollector.cpp:157
#12 0x0000000003bd427a in blink::ElementRuleCollector::collectMatchingRules (this=0x7fffd540da68, matchRequest=..., cascadeOrder=0, matchingTreeBoundaryRules=false) at ../../third_party/WebKit/Source/core/css/ElementRuleCollector.cpp:214
#13 0x0000000003725fba in blink::StyleResolver::matchRuleSet (this=0x1b6aea915b50, collector=..., rules=0x1b6aea9044e0) at ../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:605
#14 0x0000000003725eaa in blink::StyleResolver::matchUARules (this=0x1b6aea915b50, collector=...) at ../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:588
#15 0x000000000372601f in blink::StyleResolver::matchAllRules (this=0x1b6aea915b50, state=..., collector=..., includeSMILProperties=true) at ../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:611
#16 0x0000000003727037 in blink::StyleResolver::styleForElement (this=0x1b6aea915b50, element=0x2f73ab90f780, defaultParent=0x0, sharingBehavior=blink::AllowStyleSharing, matchingBehavior=blink::MatchAllRules) at ../../third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:793
#17 0x00000000030b33ce in blink::Element::originalStyleForLayoutObject (this=0x2f73ab90f780) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1681
#18 0x00000000030b3032 in blink::Element::styleForLayoutObject (this=0x2f73ab90f780) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1661
#19 0x00000000030edda4 in blink::LayoutTreeBuilderForElement::style (this=0x7fffd540ebd8) at ../../third_party/WebKit/Source/core/dom/LayoutTreeBuilder.cpp:111
#20 0x00000000030edd29 in blink::LayoutTreeBuilderForElement::shouldCreateLayoutObject (this=0x7fffd540ebd8) at ../../third_party/WebKit/Source/core/dom/LayoutTreeBuilder.cpp:105
#21 0x00000000030c07c9 in blink::LayoutTreeBuilderForElement::createLayoutObjectIfNeeded (this=0x7fffd540ebd8) at ../../third_party/WebKit/Source/core/dom/LayoutTreeBuilder.h:75
#22 0x00000000030b2242 in blink::Element::attach (this=0x2f73ab90f780, context=...) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1530
#23 0x0000000003028061 in blink::ContainerNode::attach (this=0x2f73ab90f6c8, context=...) at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:746
#24 0x00000000030b235a in blink::Element::attach (this=0x2f73ab90f6c8, context=...) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1550
#25 0x0000000003028061 in blink::ContainerNode::attach (this=0x2f73ab90f610, context=...) at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:746
#26 0x00000000030b235a in blink::Element::attach (this=0x2f73ab90f610, context=...) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1550
#27 0x0000000003028061 in blink::ContainerNode::attach (this=0x2f73ab90f5a8, context=...) at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:746
#28 0x00000000030b235a in blink::Element::attach (this=0x2f73ab90f5a8, context=...) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1550
#29 0x0000000003028061 in blink::ContainerNode::attach (this=0x2f73ab90f4f0, context=...) at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:746
#30 0x00000000030b235a in blink::Element::attach (this=0x2f73ab90f4f0, context=...) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1550
#31 0x0000000003028061 in blink::ContainerNode::attach (this=0x2f73ab90f488, context=...) at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:746
#32 0x00000000030b235a in blink::Element::attach (this=0x2f73ab90f488, context=...) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1550
#33 0x0000000003028061 in blink::ContainerNode::attach (this=0x2f73ab90f3d0, context=...) at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:746
#34 0x00000000030b235a in blink::Element::attach (this=0x2f73ab90f3d0, context=...) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1550
....

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 449876:449878.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5430804120862720

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffe15959e68
Crash State:
  blink::LayoutBox::updateLogicalWidth
  blink::LayoutBlock::updateLogicalWidthAndColumnWidth
  blink::LayoutBlockFlow::updateLogicalWidthAndColumnWidth
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=272014:272046
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=449876:449878

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95Fo_CMU5zumwjicxXSyEAPImtp5WvxsWQaFC1xDDsrQz86MKuQamTcAWcISJpBu5oyFKA57ueJyFwUr1G5SeZdMk93sIWfOnHtAKcrHvFFzau__lNFN28GEpqhHbpqGgR8sRh4_K5GWCqdDiXOpu-J-3D-7A?testcase_id=5430804120862720


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.