kochi@, this is a P1 that hasn't been triaged yet, could you please take a look?

Identified the root cause, and working on a fix to it.

When appendChild()/adoptNode() moves a node between different documents,
any focused node under moving node will be cleared, but it is done before
"unload" event is dispatched.  This repro case sets focus on such a moving element
in "unload" event handler - which results in an inconsistent focus state, that
the iframe document's focused element points to the element which already
moved out of the document tree.

The assertion caught that condition.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b16ecc7508fb9da7626dad7708d04b1f745c54e1

commit b16ecc7508fb9da7626dad7708d04b1f745c54e1
Author: kochi <kochi@chromium.org>
Date: Fri Feb 17 09:10:38 2017

Fix stale focusedElement in unloaded document.

When appendChild()/adoptNode() moves a node between different documents,
any focused node under moving node will be cleared, but it is done before
"unload" event is dispatched.

So if combined with <iframe>, focusing that frame in "unload" event can
trigger stale focused element reference from the old document tree.

This CL tries to fix that by checking if the element is the owner of
the frame that is being unloaded.

BUG= 677690 

Review-Url: https://codereview.chromium.org/2692423006
Cr-Commit-Position: refs/heads/master@{#451271}

[add] https://crrev.com/b16ecc7508fb9da7626dad7708d04b1f745c54e1/third_party/WebKit/LayoutTests/fast/loader/crash-focus-in-unload.html
[modify] https://crrev.com/b16ecc7508fb9da7626dad7708d04b1f745c54e1/third_party/WebKit/Source/core/dom/Element.cpp

ClusterFuzz has detected this issue as fixed in range 451236:451278.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6556153971736576

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !document().isActive() || !document().needsLayoutTreeUpdateForNode(*this) in Ele
  blink::Element::isFocusable
  blink::Document::updateStyleAndLayoutTree
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=373758:373795
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=451236:451278

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97uqC_80alv7IcVZCq-fIhPusG2l2FEe8Z9AVorn6o8KioK13nabC114Ge4F0bT74YA5PY3gGva0MvUCXCmOQO6KNoNj7u6Ya11sog9KzGwmRVsx0L6pKZ8PErdrpQ_Cd-iq3H8D0KGyu3icazHbJWJpViBGQ?testcase_id=6556153971736576


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 451236:451278.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6556153971736576

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !document().isActive() || !document().needsLayoutTreeUpdateForNode(*this) in Ele
  blink::Element::isFocusable
  blink::Document::updateStyleAndLayoutTree
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=373758:373795
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=451236:451278

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97uqC_80alv7IcVZCq-fIhPusG2l2FEe8Z9AVorn6o8KioK13nabC114Ge4F0bT74YA5PY3gGva0MvUCXCmOQO6KNoNj7u6Ya11sog9KzGwmRVsx0L6pKZ8PErdrpQ_Cd-iq3H8D0KGyu3icazHbJWJpViBGQ?testcase_id=6556153971736576


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.