kojii, would you be able to help triage this please? Thank you!

hayato@, could you mind having a look?

The stack is InsertionPoint::SetDistributedNodes() calls LazyReattachIfAttached(). Is this part of your re-writes? If this looks more like layout tree problem, please feel free to assign back to me.

Since the rewrite [1] should affect only Shadow DOM v1's distribution, it is unlikely to affect this crash, which was happening in Shadow DOM v0's insertion points, at the first glance.

But I am not 100% sure. I might miss something...

[1] https://chromium-review.googlesource.com/c/532734/

kochi@, are you interested in play with this cluster-fuzz crash?
I am on build sheriff today. This might be good chance for you to learn how Shadow DOM distribution works. I am happy to help you later.

I manually cleaned up the minimized reprocase, and attached here.

In summary, a quote element with ::after pseudo element is redistributed
to another <content>, and at the same time the ::after pseudo style becomes
not-matching.

But in the meantime, I found in the backtrace of memory free, 
UpdateDistribution() appeared twice (i.e. reentered the function),
the second was called from AXObjectImpl. This looks very suspicious.

It looks like aboxhall@ is at it, and applying the change
https://codereview.chromium.org/2939933002
fixed the ASAN failure locally.

Deleted: min.html 771 bytes

min.html 771 bytes View Download

For reference, attaching the backtrace on the free code path.

Deleted: stacktrace_free.txt 14.3 KB

stacktrace_free.txt 14.3 KB View Download

In the backtrace above, UpdateDistribution() appears in #21 and #59.

ClusterFuzz has detected this issue as fixed in range 480776:480824.

Detailed report: https://clusterfuzz.com/testcase?key=5120190756159488

Fuzzer: mbarbella_webcomponents
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free WRITE 8
Crash Address: 0x610000083bd8
Crash State:
  blink::LayoutQuote::DetachQuote
  blink::LayoutQuote::WillBeDestroyed
  blink::LayoutObject::Destroy
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=474583:474657
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=480776:480824

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5120190756159488


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5120190756159488 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please confirm if this has been verified in canary. 

This only happens with ASAN builds and it's hard to *verify* with today's canary,
but with that said, I cannot reproduce the issue with ToT local build with ASAN
enabled, with the same repro case (attached to comment #8) and
considering cluserfuzz already verified the fix on ToT build in comment #11,
we can safely say the bug fix is in canary for a few days.

Approving merge to M60. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/303e0e83015674dec5bf2fc1a5eafe2871e867ee

commit 303e0e83015674dec5bf2fc1a5eafe2871e867ee
Author: Takayoshi Kochi <kochi@chromium.org>
Date: Mon Jun 26 04:55:46 2017

Only call TextChanged on existing AXObjects. This avoids triggering the code which calls UpdateDistribution as part of creating a new AXObject, which was causing issues.

This change should cause no behaviour changes, as in cases where an AXObject needs to be created for a text node, its parent will also have a ChildrenChanged notification fired on it, which will cause the appropriate updates to fire.

Reverts https://codereview.chromium.org/2926713002/ as the code which causes UpdateDistribution to be called should never run with this change, so we don't need to check whether distribution is dirty any more.

BUG= 729229 , 732200 , 734348 

Review-Url: https://codereview.chromium.org/2939933002
Cr-Original-Commit-Position: refs/heads/master@{#480792}
Review-Url: https://codereview.chromium.org/2957733002 .
Cr-Commit-Position: refs/branch-heads/3112@{#464}
Cr-Branched-From: b6460e24cf59f429d69de255538d0fc7a425ccf9-refs/heads/master@{#474897}

[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/content/test/data/accessibility/event/menulist-collapse-expected-win.txt
[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/LayoutTests/accessibility/contenteditable-notifications.html
[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/LayoutTests/accessibility/presentation-owned-elements.html
[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/LayoutTests/resources/accessibility-helper.js
[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/core/layout/LayoutMenuList.cpp
[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXMenuList.cpp
[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXMenuListPopup.cpp
[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXMenuListPopup.h
[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXObjectCacheImpl.cpp
[modify] https://crrev.com/303e0e83015674dec5bf2fc1a5eafe2871e867ee/third_party/WebKit/Source/modules/accessibility/AXObjectCacheImpl.h

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot