Findit failed to get the suspected CLs.

Regressed CL::
https://chromium.googlesource.com/chromium/src/+log/70770adcfe2262b6886e19ac445d7c791892d011..54d1f9df4118e208a39621d41d72dca8eb969af3?pretty=fuller

Possible suspect from the above CL
https://codereview.chromium.org/2105963002

szager@ Could you please look into this issue if it is related to your change,else please route this to an appropriate owner for this issue.

Thanks,

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

eae@, was there a particular reason this was triaged to loading?

Adding some common Shadow DOM components for further triage. Hopefully repro is easy, looks like two lines of JS. I'm building an asan content_shell now to hopefully repro on TOT. Will update if it repros.

Nevermind it crashes even on TOT release build with DCHECKs always on :)

hayato@, do you mind taking a look at this one? I'm unfamiliar with the slot element, and Shadow DOM in general.

FYI for future in case it stops being reproducible. This crashed content_shell with DCHECK_ALWAYS_ON, synced to #406848 by navigating to:

data:text/html;charset=utf-8,<script>tCF18 = document.createElementNS("http://www.w3.org/1999/xhtml", "slot"); tCF18.setAttribute("dir", "auto");
;</script>

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c75de11273c24c2a26738c5298074dac079b1016

commit c75de11273c24c2a26738c5298074dac079b1016
Author: hayato <hayato@chromium.org>
Date: Fri Jul 22 09:12:36 2016

Fix a crash caused by changing dir attribute of a slot element

HTMLElement::dirAttributeChaged() calls FlatTreeTraversal::parent(*this)
unconditionally. Since Blink does not support "slots in a flat tree", we
should return early here for a slot element.

BUG= 627385 

Review-Url: https://codereview.chromium.org/2172133002
Cr-Commit-Position: refs/heads/master@{#407108}

[add] https://crrev.com/c75de11273c24c2a26738c5298074dac079b1016/third_party/WebKit/LayoutTests/shadow-dom/crashes/slot-dir-attribute-crash.html
[modify] https://crrev.com/c75de11273c24c2a26738c5298074dac079b1016/third_party/WebKit/Source/core/html/HTMLElement.cpp

Thank you for the prompt fix :)

ClusterFuzz has detected this issue as fixed in range 406809:407197.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6562935031988224

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  node.canParticipateInFlatTree() in FlatTreeTraversal.h
  blink::FlatTreeTraversal::assertPrecondition
  blink::FlatTreeTraversal::parent
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=402485:402737
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=406809:407197

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94BCy3leQmeVmPHGvocNP1nmzu1c4XsBD9xa_xAYrqrV3vPDHXXeMgXgpUS4O3uuE9yKI4HfJLsNky5okLAYPDN_Hf4ZMWyCNCnalKWv107HaEjevYEV6SpPx6dhDpOgya7KVJeQjFpz0VbaayMNi21_7Igng?testcase_id=6562935031988224
<script>
tCF18 = document.createElementNS("http://www.w3.org/1999/xhtml", "slot");
tCF18.setAttribute("dir", "auto");
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot