The only related change in the regression range seems to be https://chromium.googlesource.com/chromium/src/+/95342a4986af56783818b4a7f578f4b3b2bf5f2b

mstensho: Can you please take a look?

I can reproduce this. Dragging with the mouse seems to be required (which is also suggested by the call stack).

AutoscrollController::StartAutoscrollForSelection() is called with a healthy layout object. Then layout_object->GetFrameView()->UpdateAllLifecyclePhasesExceptPaint() kills layout_object.

This (updating life cycle phases and expecting that the LayoutObject pointer is valid afterwards) was introduced by https://codereview.chromium.org/2549353002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e5b83af160ffb15e52163318bdd3aadb14c185c8

commit e5b83af160ffb15e52163318bdd3aadb14c185c8
Author: chrishtr <chrishtr@chromium.org>
Date: Fri Apr 28 20:21:52 2017

Protect against lifecycle updates that delete a layout object for autoscroll.

NOPRESUBMIT=true
BUG= 713190 

Review-Url: https://codereview.chromium.org/2844593002
Cr-Commit-Position: refs/heads/master@{#468109}

[add] https://crrev.com/e5b83af160ffb15e52163318bdd3aadb14c185c8/third_party/WebKit/LayoutTests/fast/events/autoscroll-select-crash.html
[modify] https://crrev.com/e5b83af160ffb15e52163318bdd3aadb14c185c8/third_party/WebKit/Source/core/html/HTMLSelectElement.cpp
[modify] https://crrev.com/e5b83af160ffb15e52163318bdd3aadb14c185c8/third_party/WebKit/Source/core/input/MouseEventManager.cpp
[modify] https://crrev.com/e5b83af160ffb15e52163318bdd3aadb14c185c8/third_party/WebKit/Source/core/page/AutoscrollController.cpp

ClusterFuzz has detected this issue as fixed in range 468057:468112.

Detailed report: https://clusterfuzz.com/testcase?key=6546588857270272

Fuzzer: marty_html_twiddler
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x07c39180
Crash State:
  blink::LayoutBox::findAutoscrollable
  blink::AutoscrollController::startAutoscrollForSelection
  blink::HTMLSelectElement::listBoxDefaultEventHandler
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=437055:437094
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=468057:468112

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6546588857270272


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6546588857270272 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The patch has already been merged.

ClusterFuzz has detected this issue as fixed in range 468057:468112.

Detailed report: https://clusterfuzz.com/testcase?key=6546588857270272

Fuzzer: marty_html_twiddler
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x07c39180
Crash State:
  blink::LayoutBox::findAutoscrollable
  blink::AutoscrollController::startAutoscrollForSelection
  blink::HTMLSelectElement::listBoxDefaultEventHandler
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=437055:437094
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=468057:468112

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6546588857270272


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

For reference, the merge was https://chromium.googlesource.com/chromium/src.git/+/6deb87d4ab4c0d3be8af55492fed6252c3e6c2ed

Please merge your change to M59 branch 3071 by 4:00 PM PT, Monday (05/15) so we can take it in for next week beta release. Thank you.

It's already merged.

Removing "Merge-Approved-59" label per comment #16.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot