bokan@ can you please take a look?

Within the ClusterFuzz-identified commit range, the most likely commit appears to be 
https://chromium.googlesource.com/chromium/src/+/de92895a8fd3c8f3719b8875651cffc7ebebd3e7

FWIW, this looks similar to longstanding crash https://bugs.chromium.org/p/chromium/issues/detail?id=359028

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Will take a look today

Found the problem: we now allow that a PaintLayerScrollableArea can be set as the layout viewport if it's associated node is set as the root scroller. When we delete the node, the PLSA is disposed but until the root scroller mechanisms realize that the current root scroller is invalid, we can call into the PLSA with a deleted layer/LayoutBox.

I have a fix that should be good to go by Monday. This isn't directly related to issue 359028

This bug is reported as M55 Beta blocker.Please try to resolve this before M55 branch on Oct 6th,2016 so it has enough baking time in Dev.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/10a29c5ef01177b72535c855713df141a9ef9ddc

commit 10a29c5ef01177b72535c855713df141a9ef9ddc
Author: bokan <bokan@chromium.org>
Date: Fri Sep 30 20:35:15 2016

Detach PaintLayerScrollableArea from RootFrameViewport when disposed.

With document.rootScroller, a PLSA can become the layoutViewport in
RootFrameViewport. This crash was happening because the associated Node being
removed from the DOM causes deletion of the associated LayoutObject and
PaintLayer but the RootFrameViewport still has a pointer to the PLSA. The
RootScrollerController will realize the rootScroller's LayoutObject is gone
during the next layout but we can call into the dead PLSA (which could have
been garbage collected in the mean time).

This fix checks during PLSA disposal whether it's registered as the layout
viewport, and if so, resets the layout viewport to the FrameView.

BUG= 649340 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2365173002
Cr-Commit-Position: refs/heads/master@{#422209}

[modify] https://crrev.com/10a29c5ef01177b72535c855713df141a9ef9ddc/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.cpp
[modify] https://crrev.com/10a29c5ef01177b72535c855713df141a9ef9ddc/third_party/WebKit/Source/core/page/scrolling/RootScrollerController.h
[modify] https://crrev.com/10a29c5ef01177b72535c855713df141a9ef9ddc/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp
[modify] https://crrev.com/10a29c5ef01177b72535c855713df141a9ef9ddc/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.h
[modify] https://crrev.com/10a29c5ef01177b72535c855713df141a9ef9ddc/third_party/WebKit/Source/web/tests/RootScrollerTest.cpp

ClusterFuzz has detected this issue as fixed in range 422171:422381.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4710564184195072

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x611000293290
Crash State:
  blink::PaintLayerScrollableArea::deregisterForAnimation
  blink::RootFrameViewport::serviceScrollAnimations
  blink::PageAnimator::serviceScriptedAnimations
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=404238:404340
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=422171:422381

Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94p1E3budbrhZ_2RzTNG-AKSUMVUl1d7juOEK2nDqvBI72sNelEjZHmQzV7ujG8dHtPT5YRNLPFl6VKtkSDK5AdGcpCxJXmvEr2DGLRQuFuFM_5q5FmimAmh9yAhje5GUVGNQ6cSWEUNPgetC2qaCpG3u59rw?testcase_id=4710564184195072

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot