Assigning to style TL for further triage.

Crashes spiked in M-57 from chrome version: 57.0.2954.0 and is #1 renderer crash on the latest canary(57.0.2954.0) of Mac.

Link to the crashes:
====================
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ARuleFeatureSet%3A%3Aadd%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

Considering below as the changelog:
===================================
https://chromium.googlesource.com/chromium/src/+log/57.0.2953.0..57.0.2954.0?pretty=fuller&n=10000

Suspecting: https://codereview.chromium.org/2557533005 by rune@.

rune@: Could you please take a look at these crashes.

Thank you!

Users experienced this crash on the following builds:

Win Canary 57.0.2955.0 -  0.57 CPM, 7 reports, 7 clients (signature blink::RuleFeatureSet::add)
Mac Canary 57.0.2955.0 -  31.17 CPM, 63 reports, 41 clients (signature blink::RuleFeatureSet::add)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Pinged (sashab@ - reviewer of the above CL) offline and waiting for the reply.

Thank you!

Sorry - I didn't review that CL, best to let esprehn@ take a look.

I get the feeling that is the correct CL, though. Rune@ might be able to debug.

Full stack, the crash looks like a nullptr crept in somewhere probably from that empty media query block? That does look like the right CL.

There's a null check here:
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/css/resolver/ScopedStyleResolver.cpp?dr=C&sq=package:chromium&rcl=1482150271&l=96

which should prevent an entry in m_authorStyleSheets with a null RuleSet, but if anything calls clearRuleSet() that can make the ->ruleSet() getter return null even if the entry in the ActiveStyleSheetVector still has one.

We probably need to plumb that ruleset around somewhere or add some more null checks? The problem is when redoing the sheet collection process when we've already done the initial pass adding sheets I think.

#0 0x12d9e799 in end third_party/WebKit/Source/wtf/HashTable.h:713:39
#1 0x12d9e799 in begin third_party/WebKit/Source/wtf/HashTable.h:710
#2 0x12d9e799 in begin third_party/WebKit/Source/wtf/HashMap.h:393
#3 0x12d9e799 in blink::RuleFeatureSet::add(blink::RuleFeatureSet const&) third_party/WebKit/Source/core/css/RuleFeature.cpp:887
#4 0xb88cd7c in blink::ScopedStyleResolver::collectFeaturesTo(blink::RuleFeatureSet&, blink::HeapHashSet<blink::Member<blink::StyleSheetContents const>, WTF::MemberHash<blink::StyleSheetContents const>, WTF::HashTraits<blink::Member<blink::StyleSheetContents const> > >&) const third_party/WebKit/Source/core/css/resolver/ScopedStyleResolver.cpp:120:16
#5 0xbc4e27e in blink::StyleEngine::collectScopedStyleFeaturesTo(blink::RuleFeatureSet&) const third_party/WebKit/Source/core/dom/StyleEngine.cpp:569:39
#6 0x12d46632 in blink::CSSGlobalRuleSet::update(blink::Document&) third_party/WebKit/Source/core/css/CSSGlobalRuleSet.cpp:66:26
#7 0xba550e1 in setContainsFullScreenElement third_party/WebKit/Source/core/dom/Element.cpp:3364:28
#8 0xba550e1 in blink::Element::setContainsFullScreenElementOnAncestorsCrossingFrameBoundaries(bool) third_party/WebKit/Source/core/dom/Element.cpp:3393
#9 0xbacdb34 in blink::Fullscreen::didEnterFullscreen() third_party/WebKit/Source/core/dom/Fullscreen.cpp:661:9
#10 0xa63f0c3 in blink::FullscreenController::didEnterFullscreen() third_party/WebKit/Source/web/FullscreenController.cpp:88:21
#11 0x9781bb1 in content::RenderWidget::Resize(content::ResizeParams const&) content/renderer/render_widget.cc:0:21
#12 0x974e820 in content::RenderViewImpl::OnResize(content::ResizeParams const&) content/renderer/render_view_impl.cc:2339:17

This is mine, for sure.

https://codereview.chromium.org/2590793003/#

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0c3e8777424678b81c5306e832391050f65cb170

commit 0c3e8777424678b81c5306e832391050f65cb170
Author: rune <rune@opera.com>
Date: Tue Dec 20 13:16:09 2016

Don't update global ruleset when active style is dirty.

CSSGlobalRuleSet should always be collected as part of the active style
update. RuleSets may have been cleared from StyleSheetContents as a
result of media query changes for instance.

For the given issue, we tried to limit to a global ruleset when lazy-
loading fullscreen UA style, but as part of going fullscreen we had
already cleared rule sets for stylesheets with media queries due to the
media feature change.

BUG= 675439 

Review-Url: https://codereview.chromium.org/2590793003
Cr-Commit-Position: refs/heads/master@{#439781}

[add] https://crrev.com/0c3e8777424678b81c5306e832391050f65cb170/third_party/WebKit/LayoutTests/fullscreen/full-screen-ruleset-crash.html
[modify] https://crrev.com/0c3e8777424678b81c5306e832391050f65cb170/third_party/WebKit/Source/core/dom/StyleEngine.cpp
[modify] https://crrev.com/0c3e8777424678b81c5306e832391050f65cb170/third_party/WebKit/Source/core/dom/StyleEngine.h

 Issue 675542  has been merged into this issue.

Thanks Rune, this saved me from digging into  issue 675542 !

ClusterFuzz has detected this issue as fixed in range 439765:439794.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4662619744239616

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000000000dc
Crash State:
  blink::RuleFeatureSet::add
  blink::ScopedStyleResolver::collectFeaturesTo
  blink::StyleEngine::collectScopedStyleFeaturesTo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=438123:438157
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=439765:439794

Minimized Testcase (0.53 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96He-Hs_QZYd0hagge2ueVDnTJSUKYRseEsMnCyuMLmeQNK4DJhlgeJF-5j0MFuVa2OSL4uQah2fxQNJ7PCD_uAgG-UQ1ZeEFiKnhP1Nu6zEAM8UOw3tJJhGU-Qja8dydClsc4nwk3MVjJxLOZbfRkV8Zwd-A?testcase_id=4662619744239616
  <style type="text/css">
@media braille {
  </style>
  <script>
function elementCenter(e)
{
    return {
        x: e.offsetLeft + e.offsetWidth / 2,
        y: e.offsetTop + e.offsetHeight / 2
    }
}
; 
</script>
  <button id="enter" onclick="document.body.webkitRequestFullScreen()">
<script>

    enterButton = document.getElementById('enter');
    var enterButtonCenter = elementCenter(enterButton);
    eventSender.mouseMoveTo(enterButtonCenter.x, enterButtonCenter.y);
    eventSender.mouseDown();
    eventSender.mouseUp();
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.