Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4668640680214528 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !source->parentNode() in Document.cpp blink::Document::adoptNode blink::V8Document::adoptNodeMethodCallback Sanitizer: address (ASAN) Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=454203:454233 Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95zfyfg-SugXjVrN7ql4jsPLohWlpzJfQbakk0ffn8USjfuLboP0kFLEsyYOa4O0hgJhjaMGgvo6pFeQ5AmDw9Pv7UYt5sBlBDkqTgXuXju59Kpuz-m2NOQh3OIcdSScnpuxVPLP2UHweW-nWxxqZswHLWY-4ZFJ5d-ZNjDLVtvD4BanSvQFOz2c7GAw7AdjbmFSNMHxobs0EeNKjdrhdRrD2u51MNylAcNQWWxsmz0lxMDZ-cII1ePMNZyYZG7XqxoaUwmd5lBLpx54C9wCkWTFnAZ1JBpNM-5wSTgubhmAcoEbRwXZyn8b6aYGeZdipbSGhriOP6eyNBJNKTcPgtKTFvmdKwMHArbcO4mYEUYPxMUGyI?testcase_id=4668640680214528 Issue filed automatically. See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.
This looks to be fixed here crbug.com/697737#c3 , ran Redo fix if its really fixed it.
Still reproducible with ToT.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/99c1f4221e4374df51ebb65b24be45400dff150a commit 99c1f4221e4374df51ebb65b24be45400dff150a Author: tkent <tkent@chromium.org> Date: Wed Mar 15 06:48:48 2017 DOM: adoptNode() should not crash by reparenting the specified node in removeChild(). BUG= 698574 Review-Url: https://codereview.chromium.org/2752673003 Cr-Commit-Position: refs/heads/master@{#457015} [add] https://crrev.com/99c1f4221e4374df51ebb65b24be45400dff150a/third_party/WebKit/LayoutTests/dom/document/adoptNode-reparenting-crash.html [modify] https://crrev.com/99c1f4221e4374df51ebb65b24be45400dff150a/third_party/WebKit/Source/core/dom/Document.cpp
ClusterFuzz has detected this issue as fixed in range 456626:457736. Detailed report: https://clusterfuzz.com/testcase?key=4668640680214528 Fuzzer: inferno_layout_test_unmodified Job Type: linux_lsan_chrome_mp Platform Id: linux Crash Type: CHECK failure Crash Address: Crash State: !source->parentNode() in Document.cpp blink::Document::adoptNode blink::V8Document::adoptNodeMethodCallback Sanitizer: address (ASAN) Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=454203:454233 Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=456626:457736 Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97kzMjXhtXxi_F7vmQ3RYTprSMkxrT0LpdlK3HMjfyH1UYnfx6Q6PqsQGsPHFBim6K41ib0WybHGm5BeXW-zZ1IY2VsB8pGShg7wIUae2qTybv0SnlUoEUk7Vv3jCmETwtkvReJk9Xyv2j6T3onhX5IVL0HoDH0Av-sRgIXbk56T_xgD9iZVFAyRm9xLgWY8-7EEwKfeDfv5QE89t-Yg4_Ppqrlzymb-LzCdrp-3ITexbVLLbU1MUiI96CrOiegzhp9xoZZ6nJ7e3oHh967IDWDTiGZ4VOwPhakYDLB3YMALwiD-c4HASgJYIXuWTQs69x3Nb4wyR5RfC8nzX9bFvWOqknL5vhyhz9BcXx18TMDI1w5AsjC9tTTXwhJ3OrDA_d8s0t0iwhf2r1MlRt-wH5fvnCK6g?testcase_id=4668640680214528 See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information. If you suspect that the result above is incorrect, try re-doing that job on the test case report page.
Comment 1 Deleted