providing findit results for internal purpose:

Suspected CLs	Findit could not determine the memory tool from the stacktrace. Is it in a new format?

using code search, seeing some changes to 'Document.cpp' in https://chromium.googlesource.com/chromium/src/+/d666f503ae854fac360cc70da1f5971a6724546a

foolip@, Could you please check the above issue & help us in finding an owner it its not yours.

The assert can be reproduced on r402077 from June 25, 2016, so I'm not going to try bisecting this.

Turns out that mutation events are fun as usual. In the further minified fun-mutation-event.html, we end up with two children of the Document, which I suspect is violating assumptions somewhere that document.documentElement is the only child. It's certainly an invariant we try to uphold elsewhere and in spec land.

Both Gecko and Edge end up with just the <a> element as the document element, as they throw for the appendChild call inside the DOMSubtreeModified event handler. It looks like the state of the document is a bit different in the different engines in that event handler.

tkent@, can you take a look and assign to someone? To me, making sure that we only end up with one child of document seems like the most important, and if we can align with some other engine on the details of mutation events in the process that would be nice.

Deleted: fun-mutation-event.html 270 bytes

fun-mutation-event.html 270 bytes View Download

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot