might this is  the suspected cl:
https://chromium.googlesource.com/chromium/src/+/c5fb1b6a7e7fc6eccd8355211c43cb6396f86d9a%5E%21/third_party/WebKit/Source/core/dom/Node.cpp
haraken@ could you please look into this. thanks

dominicc: Would you triage this in DOM team?

OK. Things with Status Untriaged, Components DOM or HTML will be triaged without having to ask.

checkAcceptGuaranteedNodeTypes has been confused in the past by cunning tree manipulation in MutationEvents, etc. and which usually presages even worse failures.

It looks like the repro could use some hand-minimization. It may be a namespace issue; I notice some SVG creation there. This has some junk bytes in the script tag, but I hope they are not important! I wonder if it would be possible to write a log-and-replay minimizer?

Minimum repro:

<script>
tCFDoc1094 = document.implementation.createDocument("svg", null);
tCFDoc1097 = document.implementation.createDocument("http://www.w3.org/2000/svg", "svg");
tCFDoc1097.documentElement.before(tCFDoc1094, "");
</script>

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/68903386758f2e1924448af26989fd47b327a145

commit 68903386758f2e1924448af26989fd47b327a145
Author: tkent <tkent@chromium.org>
Date: Fri Sep 02 05:37:51 2016

DOM append(), prepend(), after(), before(), and replaceWith() should throw an exception if a Document is specified as one of arguments.

https://dom.spec.whatwg.org/#converting-nodes-into-a-node
> 4. Otherwise, set node to a new DocumentFragment whose node document is
> document, and then append each node in nodes, if any, to it. Rethrow any
> exceptions.

Our implementation convertNodesIntoNode() ignored exceptions in this step.

BUG= 632873 

Review-Url: https://codereview.chromium.org/2305903003
Cr-Commit-Position: refs/heads/master@{#416196}

[modify] https://crrev.com/68903386758f2e1924448af26989fd47b327a145/third_party/WebKit/LayoutTests/fast/dom/ChildNode/after.html
[modify] https://crrev.com/68903386758f2e1924448af26989fd47b327a145/third_party/WebKit/LayoutTests/fast/dom/ChildNode/before.html
[modify] https://crrev.com/68903386758f2e1924448af26989fd47b327a145/third_party/WebKit/LayoutTests/fast/dom/ChildNode/replace-with.html
[modify] https://crrev.com/68903386758f2e1924448af26989fd47b327a145/third_party/WebKit/LayoutTests/fast/dom/ParentNode/append.html
[modify] https://crrev.com/68903386758f2e1924448af26989fd47b327a145/third_party/WebKit/LayoutTests/fast/dom/ParentNode/prepend.html
[modify] https://crrev.com/68903386758f2e1924448af26989fd47b327a145/third_party/WebKit/Source/core/dom/Node.cpp

ClusterFuzz has detected this issue as fixed in range 415934:416233.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5054250669572096

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false. DOMExeption should not be thrown in Node.cpp
  blink::NoExceptionStateAssertionChecker::throwDOMException
  blink::ContainerNode::checkAcceptChildGuaranteedNodeTypes
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=408575:408586
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=415934:416233

Minimized Testcase (2.26 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95TF-rGPt0B83Ck9HaAIdLONEuRdjjJF97q1bQL6saizOisSTIbBE_fOC_MwebfyObyieq4YYSVulI2hqKNWU5SNSAxq1SPviFsei13hiCzI3UkjzMB-jbtlDBcI0pcdAi2xNtrmqHm6zak4ei3iDTeRFKAug?testcase_id=5054250669572096

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.