Find it could generate a result

From the regression range below:

https://chromium.googlesource.com/chromium/src/+log/5c265a308a311a7d65ab37c10cf84830ddea72d5..c8e2b27f71c6792fa1072fa98a22c111ad229090?pretty=fuller

suspecting below change could be a possible culprit:

https://chromium.googlesource.com/chromium/src/+/7200acac17a321b76b0f410f1833b7ce6daccfd8

@szager: Assigning to you, kindly take a look into it. Please help us to find an owner if not with respect to your change.

Root cause appears to be:

https://codereview.chromium.org/2743053003

Temporarily assigning to self to be able to download the fuzzer case.

Issue 731921 has been merged into this issue.

Users experienced this crash on the following builds:

Win Dev 61.0.3124.10 -  0.25 CPM, 23 reports, 21 clients (signature blink::Document::ScheduleLayoutTreeUpdate)
Android Dev 61.0.3124.3 -  0.49 CPM, 11 reports, 11 clients (signature blink::Document::ScheduleLayoutTreeUpdate)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Users experienced this crash on the following builds:

Win Canary 61.0.3131.0 -  0.27 CPM, 9 reports, 9 clients (signature blink::Document::ScheduleLayoutTreeUpdate)
Mac Dev 61.0.3128.0 -  0.48 CPM, 3 reports, 3 clients (signature blink::Document::ScheduleLayoutTreeUpdate)
Linux Dev 61.0.3128.3 -  3.81 CPM, 6 reports, 3 clients (signature blink::Document::ScheduleLayoutTreeUpdate)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

ClusterFuzz has detected this issue as fixed in range 480271:480432.

Detailed report: https://clusterfuzz.com/testcase?key=5979217602019328

Fuzzer: inferno_webbot
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  lifecycle_.GetState() != DocumentLifecycle::kInPerformLayout in Document.cpp
  blink::Document::ScheduleLayoutTreeUpdate
  blink::Node::LazyReattachIfAttached
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=477423:477458
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=480271:480432

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5979217602019328


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5979217602019328 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This crash still exists in latest canary- 61.0.3137.0 hence reopening, ranks #4 in Mac Dev- 61.0.3135.4.

szager@ could you please take a look and have a fix before M61 hits Beta.

I have a fix in the CQ:

https://chromium-review.googlesource.com/c/527606/

Should be fixed by this CL:

https://chromium-review.googlesource.com/527606

Just to update, there have been no crashes seen on Windows and Mac since chrome version: 61.0.3138.0 for 'blink::Document::ScheduleLayoutTreeUpdate'. Hence adding the verified label.

Link to the list of the builds:
===============================
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ADocument%3A%3AScheduleLayoutTreeUpdate%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

szager@: Please close the issue if there is no further work to be done here.

Thank you!

Just to update, there have been no crashes seen on Windows,Mac,Linux since 61.0.3138.0. However Android canary(61.0.3145.0) has reported 3 crashes from 3 clients.

Link to the Android crashes:
============================
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ADocument%3A%3AScheduleLayoutTreeUpdate%27%20AND%20product.name%3D%27Chrome_Android%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

No longer a Beta blocker based on the very few crash instances. Punting to stable based on few crash instances on Android.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/02da93ccf3296b8061aec5b02c61bf6c3bd3b696

commit 02da93ccf3296b8061aec5b02c61bf6c3bd3b696
Author: Stefan Zager <szager@chromium.org>
Date: Mon Jul 10 23:53:45 2017

Remove CHECK after diagnosing crash.

BUG= 730398 
R=pdr@chromium.org

Change-Id: I61868a97e920d0131d672952b7d570181da11537
Reviewed-on: https://chromium-review.googlesource.com/565806
Reviewed-by: Philip Rogers <pdr@chromium.org>
Commit-Queue: Stefan Zager <szager@chromium.org>
Cr-Commit-Position: refs/heads/master@{#485451}
[modify] https://crrev.com/02da93ccf3296b8061aec5b02c61bf6c3bd3b696/third_party/WebKit/Source/core/dom/Document.cpp

A friendly reminder that M61 branch is coming soon on 07/20! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix ASAP to trunk. This way we branch M61 from a high quality trunk. Thank you.

Can we tag the bug as fixed?

Crashes stopped on Android after 61.0.3153.0