Findit did not show any suspected CL's

Using code search suspecting the below change could be a possible culprit which could have resulted this crash.

Change URL: https://chromium.googlesource.com/chromium/src/+/3cf2f58b1be6065c5c8264e60d414ec9531a6449
Review-Url: https://codereview.chromium.org/2354773003

@rune: Assigning to you, Request you to please take a look into it. Please help us to reassign if not with respect to your change.

Thanks.!

If you look at the Blink changes in that range, you see that assertLayoutTreeUpdate was introduced by esprehn@ in that range, so it's not a regression.

The clusterfuzz case is able to add two child elements of Document. Since that should not be allowed, we start recalculating style on documentElement() which means the second element will not have its style recalculated. assertLayoutTreeUpdated starts on the Document node and checks all children and therefore finds the dirty second child.

I assume the DOM code should've made sure there's only one documentElement.

These kind of bugs are sadly not uncommon; typically checkAllowsChild is confused by some synchronous script running somewhere. The solution is typically beating back the brushfire of synchronous stuff, or widening the firebreak with "duplicate" later checks.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 455565:456161.

Detailed report: https://clusterfuzz.com/testcase?key=5737243543339008

Fuzzer: bj_broddelwerk
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !node.needsStyleRecalc() in Document.cpp
  blink::assertLayoutTreeUpdated
  blink::Document::updateStyleAndLayoutTree
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=335195:335234
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=455565:456161

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97GiKnv3TrbPPlUyPEVMOwqFgC-uLY8BwaV_Wc-anW4vU-etr5myj13y-t8LOar2FRcUFLPhKWU9iGEQVcoojg24wgT993rBmo_41owifz1meulIwOsxMPSyiv5mLwjmNija6QqKCCbF5uCVaqPl44HMJmtvQ?testcase_id=5737243543339008


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5737243543339008 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.