This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

mstensho, could you please take a look or help with assigning this to the right person? Only https://chromium.googlesource.com/chromium/src/+/0740b0dfd20e2f99cddc773e0fe1460ef05da508 in the regression range looked relevant to me.

Caused by https://chromium.googlesource.com/chromium/src/+/0f77a4ef8c0218492b5b8689a793b34b0f5a34d8

Thanks mstensho! 

ClusterFuzz has detected this issue as fixed in range 436323:436519.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5132508879650816

Fuzzer: puzzor
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x611000033a80
Crash State:
  blink::LayoutObjectChildList::destroyLeftoverChildren
  blink::LayoutObject::willBeDestroyed
  blink::LayoutBoxModelObject::willBeDestroyed
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=436006:436201
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=436323:436519

Minimized Testcase (2.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95HmkBE4-c8UzsNb2T4PStoqyr6MEShxC8DlHMSmcu9o9RubMerge8m11dmeVzvVFUT6CB7u4OlRcbskYalTZ1G-NbCKzDIJckaoXkFbsXtzcbk1iLC6n142Aw5RFAPAMhrYFeIx2WFpTAWA_hYOgcv0dymyw?testcase_id=5132508879650816

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot