Possible suspect from code search on the crashed file "ElementIntersectionObserverData.cpp".
Review-Url: https://codereview.chromium.org/2553343004
szager@: Could you please take a look into this issue if its related to your change.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33233d198c4f17bc6016bb2f9f59e64232c7f541

commit 33233d198c4f17bc6016bb2f9f59e64232c7f541
Author: szager <szager@chromium.org>
Date: Fri Jan 06 01:56:00 2017

Get rid of obsolete FrameView::m_shouldUpdateViewportIntersection.

This was originally intended as an optimization, but now that all
intersection tracking happens through IntersectionObserver, and all
active observers must run on each frame, it makes no sense to
short-circuit the recursion in updateViewportIntersectionsForSubtree.

This also allows us to remove IntersectionObserver::trackingDocument,
which was a wart introduced to fix a bug where observers defined in
subframes were not generating IntersectionObserver notifications, as
discussed here:

https://codereview.chromium.org/2553343004

BUG= 677620 
R=skyostil@chromium.org

Review-Url: https://codereview.chromium.org/2610963003
Cr-Commit-Position: refs/heads/master@{#441811}

[add] https://crrev.com/33233d198c4f17bc6016bb2f9f59e64232c7f541/third_party/WebKit/LayoutTests/intersection-observer/tracking-document.html
[modify] https://crrev.com/33233d198c4f17bc6016bb2f9f59e64232c7f541/third_party/WebKit/Source/core/dom/IntersectionObserver.cpp
[modify] https://crrev.com/33233d198c4f17bc6016bb2f9f59e64232c7f541/third_party/WebKit/Source/core/frame/FrameView.cpp
[modify] https://crrev.com/33233d198c4f17bc6016bb2f9f59e64232c7f541/third_party/WebKit/Source/core/frame/FrameView.h

ClusterFuzz has detected this issue as fixed in range 441510:441524.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6405231756967936

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000001f
Crash State:
  blink::IntersectionObserver::trackingDocument
  blink::ElementIntersectionObserverData::activateValidIntersectionObservers
  blink::Element::insertedInto
  
Memory Tool: SYZYASAN

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=440977:440981
Fixed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=441510:441524

Minimized Testcase (0.46 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv940T8eCEuDoEDDAY0EZJUy0hnb7clEAR627Dcmu3NTG_YWT6ShKRzq_BAb0_gQ0h9rxVOZrr168TNHt20Qj-CJqKIcqH03EJ_nKBtGCkdRgGqjt-4NgawHdw09QCKyjkkKrPF54MxZiNtZ1vyoDE7ya6eOHrgVqJ20HZZ-JEwLOY9I533w1xYlTGLkS-4hCfTANlLgSp1L1vtG8zhbcGv3jQESso7Wu3cD1mpqg6utnHtvaiqV-lRY1MLKDcQ0OsBrgbTl0GwtSM_i1BcPz5fj7fW60jGgMntM3r-wkDu8sVNYGExvV1cT83VsTvMvUXj7JKn-wHyiykYnfQK4fcNAzJsPlHnHilisQfrdwBP7udBpquUs?testcase_id=6405231756967936
><script src=../resources/js-test.js></script>
<script src=../resources/intersection-observer-helper-functions.js></script>
<div id=root>
</div>
<script>
description();
var entries = [];
var observer = new IntersectionObserver(
    changes => { },
    { root: root }
);

function initCF() {
}
tCFEvent8886 = 0;
function tCF_custom_1() {
}


tCFDoc5594 = document.implementation.createDocument("", null);
tCFDoc5594.appendChild(root);
;


</script>


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6405231756967936 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.