meade@ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !

Hey Rune, clusterfuzz is reporting that it thinks that https://codereview.chromium.org/2443933002 caused this crash. Would you be able to take a look at it? 

The test case is pasted above, and the stack trace was this:

==24278==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f306a412d08 bp 0x7fffe8ad0510 sp 0x7fffe8ad04c0 T0)
==24278==The signal is caused by a READ memory access.
==24278==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0x7f306a412d07 in hasDeepOrShadowSelector third_party/WebKit/Source/core/css/resolver/ScopedStyleResolver.h:75:49
    #1 0x7f306a412d07 in shouldCheckScope third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:481
    #2 0x7f306a412d07 in blink::StyleResolver::collectTreeBoundaryCrossingRulesV0CascadeOrder(blink::Element const&, blink::ElementRuleCollector&) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:681
    #3 0x7f306a4122a1 in blink::StyleResolver::matchAuthorRulesV0(blink::Element const&, blink::ElementRuleCollector&) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:573:3
    #4 0x7f306a413f5f in blink::StyleResolver::matchAllRules(blink::StyleResolverState&, blink::ElementRuleCollector&, bool) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:638:3
    #5 0x7f306a417105 in blink::StyleResolver::styleForElement(blink::Element*, blink::ComputedStyle const*, blink::StyleSharingBehavior, blink::RuleMatchingBehavior) third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:831:5
    #6 0x7f306a566c8c in blink::Document::inheritHtmlAndBodyElementStyles(blink::StyleRecalcChange) third_party/WebKit/Source/core/dom/Document.cpp:1602:31
    #7 0x7f306a56d9cc in blink::Document::updateStyle() third_party/WebKit/Source/core/dom/Document.cpp:1910:5
    #8 0x7f306a55b6c1 in blink::Document::updateStyleAndLayoutTree() third_party/WebKit/Source/core/dom/Document.cpp:1840:3
    #9 0x7f306a5b0aaf in blink::Document::finishedParsing() third_party/WebKit/Source/core/dom/Document.cpp:5108:7
    #10 0x7f306b34aa01 in end third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:931:18
    #11 0x7f306b34aa01 in attemptToRunDeferredScriptsAndEnd third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:943
    #12 0x7f306b34aa01 in blink::HTMLDocumentParser::prepareToStopParsing() third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:251
    #13 0x7f306b35545e in blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser(std::__1::unique_ptr<blink::HTMLDocumentParser::TokenizedChunk, std::__1::default_delete<blink::HTMLDocumentParser::TokenizedChunk> >) third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:530:9
    #14 0x7f306b34cee4 in blink::HTMLDocumentParser::pumpPendingSpeculations() third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:613:9
    #15 0x7f306b36213d in blink::HTMLDocumentParser::resumeParsingAfterScriptExecution() third_party/WebKit/Source/core/html/parser/HTMLDocumentParser.cpp:1061:5
    #16 0x7f30690197e1 in Invoke<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:164:12
    #17 0x7f30690197e1 in MakeItSo<void (*const &)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:285
    #18 0x7f30690197e1 in RunImpl<void (*const &)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), const std::__1::tuple<base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > > &, 0> base/bind_internal.h:361
    #19 0x7f30690197e1 in base::internal::Invoker<base::internal::BindState<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:339
    #20 0x7f3060e8f4bd in Run base/callback.h:47:12
    #21 0x7f3060e8f4bd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:52
    #22 0x7f306905b379 in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:358:19
    #23 0x7f3069056099 in blink::scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:250:13
    #24 0x7f3060e8f4bd in Run base/callback.h:47:12
    #25 0x7f3060e8f4bd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:52
    #26 0x7f3060c9d067 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:413:19
    #27 0x7f3060c9da7f in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:422:5
    #28 0x7f3060c9ed3a in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:515:13
    #29 0x7f3060cab67d in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:35:31
    #30 0x7f3060c9c3a3 in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:378:10
    #31 0x7f3060d2dd44 in base::RunLoop::Run() base/run_loop.cc:35:10
    #32 0x7f306df270fb in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:198:23
    #33 0x7f305fd891d4 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:336:14
    #34 0x7f305fd8da23 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:776:12
    #35 0x7f305fd87f5d in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
    #36 0x7f305a2686c2 in ChromeMain chrome/app/chrome_main.cc:97:12
    #37 0x7f304edbdec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

Deleted: fuzz-328.html 370 bytes

fuzz-328.html 370 bytes View Download

 Issue 659461  has been merged into this issue.

Oh, you're already on it!

ClusterFuzz has detected this issue as fixed in range 427578:427987.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5011658356555776

Fuzzer: attekett_dom_fuzzer
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000038
Crash State:
  hasDeepOrShadowSelector
  shouldCheckScope
  blink::StyleResolver::collectTreeBoundaryCrossingRulesV0CascadeOrder
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=427199:427353
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=427578:427987

Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96R3CVStGw8ctAPpK8xLieigNOjj_tdZa1NtapoLXlOUR6foffKSvEi08Ut8BvlgNGcDyA3rdRnVNO-M9jkd02i9qXbtjEUR-M40J1x5LXpcocRrlYnuqT34TFG7iMK0VaNeLXDJEBziNxCFCLqv7Xu17gNBg?testcase_id=5011658356555776
boto/ro<head>
  <link rel="import">
  <style shim-shadowdom>
    body {
    }
    paper-toggle-button.blue::shadow paper-radio-button::shadow #onRadio {
  </style>
<script type="text/javascript"> 
for(x=0;x<5;x++){
document.styleSheets[0].disabled=true;;
}
setInterval(function(){
})
setTimeout(function(){
})
setTimeout({
},0)
setTimeout()
for(x=0;x<3;x++){
}
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot