From findit tool:

Author: rune
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/473ac0866d46d55bf57293ce3bb27870f672dc40
Time: Wed Aug 03 12:18:01 2016
File CSSStyleSheet.cpp is changed in this cl (and is part of stack frame #0, "blink::CSSStyleSheet::willMutateRules"; frame #2, "blink::CSSStyleSheet::insertRule"; frame #3, "blink::CSSStyleSheet::insertRule")
Minimum distance from crash line to modified line: 3. (file: CSSStyleSheet.cpp, crashed on: 153, modified: 150).

Suspected Project: chromium
Suspected Component: Blink>CSS

https://codereview.chromium.org/2220863002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d70bbabbe7641c768c9c2667658b6e85a4accb09

commit d70bbabbe7641c768c9c2667658b6e85a4accb09
Author: rune <rune@opera.com>
Date: Mon Aug 08 05:30:38 2016

Cached style element sheets may not have an owner node.

The assert for cacheability of shared StyleSheetContents required the
ownerNode to be a non-null style element. Referring to and modify a
stylesheet is however possible after the style element has been removed
and the ownerNode set to null. Change the assert to just check for the
two types of cacheability.

This was not triggered by stylesheets not having @media rules since the
cacheability of linked resources would be true and made the assert
true.

Also, made the ASSERT a DCHECK along with the other ASSERTs in the
modified file.

R=meade@chromium.org
BUG= 635022 

Review-Url: https://codereview.chromium.org/2220863002
Cr-Commit-Position: refs/heads/master@{#410305}

[add] https://crrev.com/d70bbabbe7641c768c9c2667658b6e85a4accb09/third_party/WebKit/LayoutTests/fast/css/modify-cached-detached-sheet-3.html
[modify] https://crrev.com/d70bbabbe7641c768c9c2667658b6e85a4accb09/third_party/WebKit/Source/core/css/CSSStyleSheet.cpp

ClusterFuzz has detected this issue as fixed in range 410304:410309.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6685318864699392

Fuzzer: attekett_dom_fuzzer
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  (isStyleElement(ownerNode()) && m_contents->isCacheableForStyleElement()) || m_c
  blink::CSSStyleSheet::willMutateRules
  blink::CSSStyleSheet::RuleMutationScope::RuleMutationScope
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=409458:409520
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=410304:410309

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97NkYt_Vil5JpLOx3HHIYZJuJNIYjRBnNNxtvbrAKzL4_qo-be9QI_pJbPOT6UmUye1q0vVHWyBBaovGtjAsxoRR7oclTtvjyaMgq_qswBRAtEZvAhSCVb_xTxVGYpgavc_EVfiU0yq5ZGYH4AkZjwf_N-HPA?testcase_id=6685318864699392
<style id="style1">
            @media all { .test { color: green;</style>
        <script> 
var styleSheet0 = document.styleSheets[0];
var test0=document.getElementById("style1")
var test1=test0.appendChild(document.createElement("img"))
styleSheet0.insertRule('select,wbr{fieldset:enabled.enabled; }');
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot