providing find it results for internal purpose:

Suspected CLs	Findit failed to find any stack trace. Is it in a new format?

unable to find the exact culprit, assigning to https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/OWNERS
rune@ - Could you please check the above issue & help us in finding an owner.

Caused by  issue 633210 .

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/473ac0866d46d55bf57293ce3bb27870f672dc40

commit 473ac0866d46d55bf57293ce3bb27870f672dc40
Author: rune <rune@opera.com>
Date: Wed Aug 03 12:18:01 2016

Use weak members to cache StyleSheetContents.

We used the client count to detect if we could remove a
StyleSheetContents from the StyleEngine cache or not. The problem is
that the client references are removed when the element is removed from
the DOM, but the StyleSheetContents is still referenced from the
CSSStyleSheet which is accessible from CSSOM. That caused bugs with
StyleSheetContents being marked as mutable without removing it from the
cache causing assertions, and mutating the sheet without copy-on-write
because we thought we only had a single client for the contents.

Instead use weak members in the cache and let garbage collection delete
the StyleSheetContents when no longer referenced. Also, add a flag to
StyleSheetContents to say that it is referenced by multiple sheets when
we use and already cached object instead of incorrectly relying on
client count.

R=timloh@chromium.org,haraken@chromium.org
BUG= 633210 , 628488 

Review-Url: https://codereview.chromium.org/2205843003
Cr-Commit-Position: refs/heads/master@{#409495}

[add] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/LayoutTests/fast/css/modify-cached-detached-sheet-2.html
[add] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/LayoutTests/fast/css/modify-cached-detached-sheet.html
[modify] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/Source/core/css/CSSStyleSheet.cpp
[modify] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/Source/core/css/StyleSheetContents.cpp
[modify] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/Source/core/css/StyleSheetContents.h
[modify] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/Source/core/dom/StyleElement.h
[modify] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/Source/core/dom/StyleEngine.cpp
[modify] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/Source/core/dom/StyleEngine.h
[modify] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/Source/core/dom/StyleEngineTest.cpp
[modify] https://crrev.com/473ac0866d46d55bf57293ce3bb27870f672dc40/third_party/WebKit/Source/core/html/HTMLStyleElement.h

ClusterFuzz has detected this issue as fixed in range 409458:409520.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5774433461731328

Fuzzer: attekett_dom_fuzzer
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  contents->isCacheableForStyleElement() in StyleEngine.cpp
  blink::StyleEngine::createSheet
  blink::StyleElement::createSheet
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=340078:341518
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=409458:409520

Minimized Testcase (0.32 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv952tL2ginozs-s_NtBJZtmS6nOL6KzIW9LxNhRQb7jFa4P4nkGGi8nTWLkB30Yao7cTqYK18o-63ZHX383MjdOcp3jIXSma0vwRJrtXp2eFMOBqxssGRr8L4Gt0YMopFxMvYm5i9CO7en0c4OhU-4oFKPDuvw?testcase_id=5774433461731328
<style id="target">
@font-face {
</style>
<script> 
var styleSheet0 = document.styleSheets[0];
var test0=document.getElementById("target")
var test5=test0.appendChild(document.createElement("footer"))
styleSheet0.insertRule('#target:only-of-type {-webkit-text-overflow:ellipsis; }');
test0.appendChild(test0.cloneNode());
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot