Predator and CL did not provide any possible suspects.
Using Code Search for the file, "Document.cpp" assigning to concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/ed375c02e956ef832e8ed6223435f0d78d6bdf77

@dcheng -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

My CL only renames some things. +tkent@ for triage

Looks like an issue related to animation/paint.

I don't think this is animation related. The minimised repro case doesn't use any animations as far as I can tell.

Note that this does repro in a normal debug build of Chromium (ASAN is not needed).

I'll dig a little to see whom to blame.

A <meter> element seems to be playing a central role here (the nested document can be minimized to a <meter> and a child) - one having a descendant removed. The crash itself requires experimental features enabled (the trigger is within compositor-worker RUF.)

Some additional digging seems to indicate that this is a Shadow DOM (re)distribution issue:

Relevant stack:

#0  blink::FrameView::ScheduleRelayout (this=0xdd605be2478) at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:2286
#1  0x00007fffea6f8aef in blink::LayoutObject::ScheduleRelayout (this=0x21ad4ce04010) at ../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:3020
#2  0x00007fffea6f870a in blink::LayoutObject::MarkContainerChainForLayout (this=0x21ad4ce10950, schedule_relayout=true, layouter=0x0) at ../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:834
#3  0x00007fffe9d5a427 in blink::LayoutObject::SetNeedsLayout (this=0x21ad4ce10950, reason=0x7fffeb7e1d10 <blink::LayoutInvalidationReason::kRemovedFromLayout> "Removed from layout", mark_parents=blink::kMarkContainerChain, layouter=0x0) at ../../third_party/WebKit/Source/core/layout/LayoutObject.h:2672
#4  0x00007fffe9d5a168 in blink::LayoutObject::SetNeedsLayoutAndPrefWidthsRecalc (this=0x21ad4ce10950, reason=0x7fffeb7e1d10 <blink::LayoutInvalidationReason::kRemovedFromLayout> "Removed from layout") at ../../third_party/WebKit/Source/core/layout/LayoutObject.h:1026
#5  0x00007fffea70a5ab in blink::LayoutObjectChildList::RemoveChildNode (this=0x21ad4ce10208, owner=0x21ad4ce10138, old_child=0x21ad4ce10950, notify_layout_object=true) at ../../third_party/WebKit/Source/core/layout/LayoutObjectChildList.cpp:71
#6  0x00007fffea6f6963 in blink::LayoutObject::RemoveChild (this=0x21ad4ce10138, old_child=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:359
#7  0x00007fffea630409 in blink::LayoutBlockFlow::RemoveChild (this=0x21ad4ce10138, old_child=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:3071
#8  0x00007fffea6b85c4 in blink::LayoutObject::Remove (this=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutObject.h:1551
#9  0x00007fffea701790 in blink::LayoutObject::WillBeDestroyed (this=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:2644
#10 0x00007fffea67c748 in blink::LayoutBoxModelObject::WillBeDestroyed (this=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp:258
#11 0x00007fffea656f68 in blink::LayoutBox::WillBeDestroyed (this=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutBox.cpp:137
#12 0x00007fffea60b4a8 in blink::LayoutBlock::WillBeDestroyed (this=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:145
#13 0x00007fffea62ea34 in blink::LayoutBlockFlow::WillBeDestroyed (this=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:2845
#14 0x00007fffea70291d in blink::LayoutObject::Destroy (this=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:2925
#15 0x00007fffea7028fa in blink::LayoutObject::DestroyAndCleanupAnonymousWrappers (this=0x21ad4ce10950) at ../../third_party/WebKit/Source/core/layout/LayoutObject.cpp:2919
#16 0x00007fffe9db62ca in blink::Node::DetachLayoutTree (this=0xddee3f87350, context=...) at ../../third_party/WebKit/Source/core/dom/Node.cpp:958
#17 0x00007fffe9c6c067 in blink::ContainerNode::DetachLayoutTree (this=0xddee3f87350, context=...) at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:803
#18 0x00007fffe9d246b3 in blink::Element::DetachLayoutTree (this=0xddee3f87350, context=...) at ../../third_party/WebKit/Source/core/dom/Element.cpp:1821
#19 0x00007fffe9cc4b9f in blink::Node::LazyReattachIfAttached (this=0xddee3f87350) at ../../third_party/WebKit/Source/core/dom/Node.h:987
#20 0x00007fffe9eb90ef in blink::InsertionPoint::SetDistributedNodes (this=0xddee3f87260, distributed_nodes=...) at ../../third_party/WebKit/Source/core/dom/shadow/InsertionPoint.cpp:92
#21 0x00007fffe9ead4c8 in blink::DistributionPool::DistributeTo (this=0x7fffbe262b58, insertion_point=0xddee3f87260, element_shadow=0x339e20c42538) at ../../third_party/WebKit/Source/core/dom/shadow/ElementShadowV0.cpp:110
#22 0x00007fffe9eadd8b in blink::ElementShadowV0::Distribute (this=0x339e20c42538) at ../../third_party/WebKit/Source/core/dom/shadow/ElementShadowV0.cpp:176
#23 0x00007fffe9eabc4d in blink::ElementShadow::Distribute (this=0x2cd15a5289b0) at ../../third_party/WebKit/Source/core/dom/shadow/ElementShadow.cpp:166
#24 0x00007fffe9dc0217 in blink::ElementShadow::DistributeIfNeeded (this=0x2cd15a5289b0) at ../../third_party/WebKit/Source/core/dom/shadow/ElementShadow.h:117
#25 0x00007fffe9db4604 in blink::Node::RecalcDistribution (this=0xddee3f86dc0) at ../../third_party/WebKit/Source/core/dom/Node.cpp:689
#26 0x00007fffe9db46e5 in blink::Node::RecalcDistribution (this=0xddee3f86d20) at ../../third_party/WebKit/Source/core/dom/Node.cpp:695
#27 0x00007fffe9db46e5 in blink::Node::RecalcDistribution (this=0xddee3f86be0) at ../../third_party/WebKit/Source/core/dom/Node.cpp:695
#28 0x00007fffe9db46e5 in blink::Node::RecalcDistribution (this=0xddee3f85d08) at ../../third_party/WebKit/Source/core/dom/Node.cpp:695
#29 0x00007fffe9db4035 in blink::Node::UpdateDistribution (this=0xddee3f85d08) at ../../third_party/WebKit/Source/core/dom/Node.cpp:681
#30 0x00007fffe9ca3808 in blink::Document::UpdateStyleAndLayoutTree (this=0xddee3f85d08) at ../../third_party/WebKit/Source/core/dom/Document.cpp:2024
#31 0x00007fffea0bfe91 in blink::FrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal (this=0xdd605be3f98) at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:3357
#32 0x00007fffea0c0286 in blink::FrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal (this=0xdd605be2478) at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:3390
#33 0x00007fffea0be026 in blink::FrameView::UpdateStyleAndLayoutIfNeededRecursive (this=0xdd605be2478) at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:3337
#34 0x00007fffea0bcafa in blink::FrameView::UpdateLifecyclePhasesInternal (this=0xdd605be2478, target_state=blink::DocumentLifecycle::kPaintClean) at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:3071
#35 0x00007fffea0bc7e2 in blink::FrameView::UpdateAllLifecyclePhases (this=0xdd605be2478) at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:2923

Attaching my minimized version(s) of the testcase. (If running from file:// remember to pass --allow-file-access-from-files.)

Deleted: cfdependency-48142.html 55 bytes

cfdependency-48142.html 55 bytes View Download

Deleted: fuzz-http-79.html 296 bytes

fuzz-http-79.html 296 bytes View Download

FWIW I looked at a CF  Issue 714353  recently and CF's regression range was off; it's worth manually bisecting these to see if recent shadow DOM changes caused this.

yuzus@, could you try to fix this?
kochi@, help yuzus@ if necessary.

ClusterFuzz testcase 5569218759360512 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.