This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

malaykeshav: do you mind taking a look at this?

ClusterFuzz has detected this issue as fixed in range 440808:440829.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6105630088888320

Fuzzer: bj_broddelwerk
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f30e0c586d8
Crash State:
  Bad-cast to blink::LayoutBox from blink::LayoutInline
  blink::LayoutInline::addChildIgnoringContinuation
  blink::LayoutBox::clientLeft
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=437599:437697
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=440808:440829

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97slTpzGA9TWu1ugFFTj7VGjo4zBppOmub_kstUl1MtFtjRBtBF6tv-KXdjWs1QrtUFRGvZJns03R31J23HqtIPvTOlu8SVIX3gbMUA46kxvg1VN7neaiU0AbUYUYNbjSu8dm1hEIhhCZvnAq1H-EbYN6LxrA?testcase_id=6105630088888320
<style>
*{-webkit-line-box-contain:glyphs;display:initial;}
.CLASS6{vertical-align:middle;-webkit-backface-visibility:hidden;}
.CLASS9{bookmark-target:attr(onkeyup);clip-path:url("TODO");</style>
<dl class="CLASS9 CLASS13">
<select class="CLASS6 CLASS14">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6105630088888320 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot