jsbell @ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !

My change was mechanical replacement, so "not it". I also know nothing about style/layout...

nainar@ - can you take a peek and see if you can route this appropriately?

Correct me if I am wrong here but the two suspected CLs of mine are renames of functions. So not me. Passing on to rune@ to take a look. 

For added context this is what ClusterFuzz has to say: 

Author: rune@opera.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/192cf55fa442b0f947d52f7343a76565c4622273
Time: Wed Mar 04 19:57:51 2015
The CL last changed line 1957 of file Document.cpp, which is stack frame 1.

And the stack trace is as follows:

#0 0xaf8f30a in IgnoringPendingStylesheet third_party/WebKit/Source/core/dom/StyleEngine.h:67:31
    #1 0xaf8f30a in blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets() third_party/WebKit/Source/core/dom/Document.cpp:1957
    #2 0xaf8df52 in blink::Document::updateStyleAndLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks) third_party/WebKit/Source/core/dom/Document.cpp:1983:5
    #3 0x53cc503 in blink::Internals::updateLayoutIgnorePendingStylesheetsAndRunPostLayoutTasks(blink::Node*, blink::ExceptionState&) third_party/WebKit/Source/core/testing/Internals.cpp:2007:15
    #4 0x54e155b in updateLayoutIgnorePendingStylesheetsAndRunPostLayoutTasksMethod out/Release/gen/blink/bindings/core/v8/V8Internals.cpp:3785:11
    #5 0x54e155b in blink::InternalsV8Internal::updateLayoutIgnorePendingStylesheetsAndRunPostLayoutTasksMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/core/v8/V8Internals.cpp:3793
    #6 0x12d13d1 in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) v8/src/api-arguments.cc:21:3
    #7 0x14b5ed9 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:106:36
    #8 0x14b2db6 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:135:5
    #7 0x7fd7079063a6  (<unknown module>)
    #8 0x7fd7079778a5  (<unknown module>)
    #9 0x7fd707949ee2  (<unknown module>)
    #10 0x7fd707929f20  (<unknown module>)
    #9 0x204248e in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>) v8/src/execution.cc:141:13
    #10 0x20418d7 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:178:10
    #11 0x12f342e in v8::Script::Run(v8::Local<v8::Context>) v8/src/api.cc:1848:23
    #12 0xa4434b9 in blink::V8ScriptRunner::runCompiledScript(v8::Isolate*, v8::Local<v8::Script>, blink::ExecutionContext*) third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:417:26
    #13 0xa3a05a9 in blink::ScriptController::executeScriptAndReturnValue(v8::Local<v8::Context>, blink::ScriptSourceCode const&, blink::AccessControlStatus) third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:149:21
    #14 0xa3a6c54 in blink::ScriptController::evaluateScriptInMainWorld(blink::ScriptSourceCode const&, blink::AccessControlStatus, blink::ScriptController::ExecuteScriptPolicy) third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:395:35
    #15 0xa3a7319 in blink::ScriptController::executeScriptInMainWorld(blink::ScriptSourceCode const&, blink::AccessControlStatus) third_party/WebKit/Source/bindings/core/v8/ScriptController.cpp:373:5
    #16 0x11a97499 in blink::ScriptLoader::executeScript(blink::ScriptSourceCode const&) third_party/WebKit/Source/core/dom/ScriptLoader.cpp:429:21
    #17 0x11a8dc40 in blink::ScriptLoader::prepareScript(WTF::TextPosition const&, blink::ScriptLoader::LegacyTypeSupport) third_party/WebKit/Source/core/dom/ScriptLoader.cpp:276:14
    #18 0xb850667 in blink::HTMLScriptRunner::runScript(blink::Element*, WTF::TextPosition const&) third_party/WebKit/Source/core/html/parser/HTMLScriptRunner.cpp:427:23
    #19 0xb84f9de in blink::HTMLScriptRunner::execute(blink::Element*, WTF::TextPosition const&) third_party/WebKit/Source/core/html/parser/HTMLScriptRunner.cpp:280:5
    #20 0xb7f99d0 in runScriptsForPausedTreeBuilder third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:273:25
    #21 0xb7f99d0 in blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser(std::__1::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk, std::__1::default_delete<blink::HTMLDocumentParser::TokenizedChunk> >) third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:518
    #22 0xb7f1c7f in blink::HTMLDocumentParser::pumpPendingSpeculations() third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:575:36
    #23 0x9f48671 in Invoke<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:164:12
    #24 0x9f48671 in MakeItSo<void (*const &)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:283
    #25 0x9f48671 in RunImpl<void (*const &)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), const std::__1::tuple<base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > > &, 0> base/bind_internal.h:346
    #26 0x9f48671 in base::internal::Invoker<base::internal::BindState<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:324
    #27 0x58fd540 in Run base/callback.h:388:12
    #28 0x58fd540 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:54
    #29 0x9f26756 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, blink::scheduler::internal::TaskQueueImpl::Task*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:320:19
    #30 0x9f21a4d in blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:221:13
    #31 0x58fd540 in Run base/callback.h:388:12
    #32 0x58fd540 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:54
    #33 0x5746578 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:488:19
    #34 0x574740f in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:497:5
    #35 0x574894e in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:621:13
    #36 0x57527ed in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:35:31
    #37 0x57bb4e4 in base::RunLoop::Run() base/run_loop.cc:35:10
    #38 0x94cadbd in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:198:23
    #39 0x3ee8cb1 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:343:14
    #40 0x3eed556 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:786:12
    #41 0x3ed1cdd in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
    #42 0x514c8a in main content/shell/app/shell_main.cc:48:10
    #43 0x7fd8825f4f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

git blames for finding the offending CL is almost never correct, and I doubt mine is to blame, but the crash is straight-forward to reproduce, and it should be simple to fix.

https://codereview.chromium.org/2461633002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d2c8b4221a2dfd70b8445df939697e543e98b69a

commit d2c8b4221a2dfd70b8445df939697e543e98b69a
Author: rune <rune@opera.com>
Date: Fri Oct 28 07:47:03 2016

Missing document null pointer check in Internals.

updateLayoutIgnorePendingStylesheetsAndRunPostLayoutTasks did not check
if the document was null before using it.

R=nainar@chromium.org
BUG= 657443 

Review-Url: https://codereview.chromium.org/2461633002
Cr-Commit-Position: refs/heads/master@{#428312}

[add] https://crrev.com/d2c8b4221a2dfd70b8445df939697e543e98b69a/third_party/WebKit/LayoutTests/fast/harness/internals-no-document-crash-expected.txt
[add] https://crrev.com/d2c8b4221a2dfd70b8445df939697e543e98b69a/third_party/WebKit/LayoutTests/fast/harness/internals-no-document-crash.html
[modify] https://crrev.com/d2c8b4221a2dfd70b8445df939697e543e98b69a/third_party/WebKit/Source/core/testing/Internals.cpp

ClusterFuzz has detected this issue as fixed in range 428077:428348.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4985580394119168

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000518
Crash State:
  blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets
  blink::Document::updateStyleAndLayoutIgnorePendingStylesheets
  blink::Internals::updateLayoutIgnorePendingStylesheetsAndRunPostLayoutTasks
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=283013:284047
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=428077:428348

Minimized Testcase (0.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97cHQthInmeNGR123b7CTHzcd05eRAIcwOx8NNRH--I3h9pQju-EwkD8EpN6xC_aHeO3z7jTkb-m9Qi1SGKmc420F5adQ-iZIizZ-j31FPuHShouJl-LdTlLyR6wZbUFduvDFgHXPSTKHGy4XwON8nZ2MKsGg?testcase_id=4985580394119168

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 582494  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot