Predator and CL did not provide any possible suspects.
Using Code Search for the file, "hashtable.h" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/093e477880015860a43550d9330ed922810ceeb2

@cavalcantii -- Could you please look into the issue, please re-assign if it has nothing to do with your changes.
Thank You.

I'm on vacations now and should be back in 2 weeks.

That being said, the change we landed should be behind a macro that is disabled, therefore should not be related to this issue.

I'm adding Yuta as he has deeper knowledge of the subject.

Sounds like AXObjectCacheImpl::ids_in_use_ gets corrupt for some reason.

I tried to run the test case on Linux debug, and it actually hit an assertion before
doing null deref. The stack trace is pasted below.

Note that you need to run the case in layout test environment, like:

   content_shell --run-layout-test --dump-render-tree TESTCASE.HTM

Anyway, this seems related to accessibility and has nothing to do with HashTable,
so I'd like to let AX folks to triage.


[30075:30075:0728/192408.038482:2008798553011:FATAL:AXMenuList.cpp(76)] Check failed: !IsDetached(). 

Program received signal SIGTRAP, Trace/breakpoint trap.
base::debug::(anonymous namespace)::DebugBreak () at ../../base/debug/debugger_posix.cc:239
239     }
(gdb) bt
#0  base::debug::(anonymous namespace)::DebugBreak () at ../../base/debug/debugger_posix.cc:239
#1  0x00007ffff2902c58 in base::debug::BreakDebugger () at ../../base/debug/debugger_posix.cc:258
#2  0x00007ffff2996f06 in logging::LogMessage::~LogMessage (this=0x7fffffff2e70) at ../../base/logging.cc:784
#3  0x00007fffe7a5d8d1 in blink::AXMenuList::AddChildren (this=0x1aec1b35da20) at ../../third_party/WebKit/Source/modules/accessibility/AXMenuList.cpp:76
#4  0x00007fffe7a84361 in blink::AXObject::UpdateChildrenIfNecessary (this=0x1aec1b35da20)
    at ../../third_party/WebKit/Source/modules/accessibility/AXObject.cpp:1505
#5  0x00007fffe7a49b16 in blink::AXLayoutObject::UpdateChildrenIfNecessary (this=0x1aec1b35da20)
    at ../../third_party/WebKit/Source/modules/accessibility/AXLayoutObject.cpp:1625
#6  0x00007fffe7a83cfd in blink::AXObject::Children (this=0x1aec1b35da20) at ../../third_party/WebKit/Source/modules/accessibility/AXObject.cpp:1437
#7  0x00007fffe7a5db0c in blink::AXMenuList::DidUpdateActiveOption (this=0x1aec1b35da20, option_index=0)
    at ../../third_party/WebKit/Source/modules/accessibility/AXMenuList.cpp:115
#8  0x00007fffe7a9a425 in blink::AXObjectCacheImpl::HandleUpdateActiveMenuOption (this=0x1aec1b357858, menu_list=0xc13f1e58010, option_index=0)
    at ../../third_party/WebKit/Source/modules/accessibility/AXObjectCacheImpl.cpp:1196
#9  0x00007fffeb1301bd in blink::LayoutMenuList::DidUpdateActiveOption (this=0xc13f1e58010, option=0x3a8a1f324410)
    at ../../third_party/WebKit/Source/core/layout/LayoutMenuList.cpp:316
#10 0x00007fffeb12ff94 in blink::LayoutMenuList::UpdateFromElement (this=0xc13f1e58010) at ../../third_party/WebKit/Source/core/layout/LayoutMenuList.cpp:230
#11 0x00007fffeabf8ea0 in blink::HTMLSelectElement::SelectOption (this=0x3a8a1f323f50, element=0x3a8a1f324410, flags=0)
    at ../../third_party/WebKit/Source/core/html/HTMLSelectElement.cpp:1041
#12 0x00007fffeabf9590 in blink::HTMLSelectElement::ResetToDefaultSelection (this=0x3a8a1f323f50, 
    reason=blink::HTMLSelectElement::kResetReasonSelectedOptionRemoved) at ../../third_party/WebKit/Source/core/html/HTMLSelectElement.cpp:830
#13 0x00007fffeabfbf21 in blink::HTMLSelectElement::OptionRemoved (this=0x3a8a1f323f50, option=...)
    at ../../third_party/WebKit/Source/core/html/HTMLSelectElement.cpp:963
#14 0x00007fffeabef366 in blink::HTMLOptionElement::RemovedFrom (this=0x3a8a1f324aa8, insertion_point=0x3a8a1f324698)
    at ../../third_party/WebKit/Source/core/html/HTMLOptionElement.cpp:371
#15 0x00007fffea561360 in blink::ContainerNode::NotifyNodeRemoved (this=0x3a8a1f324698, root=...)
    at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:905
#16 0x00007fffea5606d6 in blink::ContainerNode::RemoveChild (this=0x3a8a1f324698, old_child=0x3a8a1f324aa8, exception_state=...)
    at ../../third_party/WebKit/Source/core/dom/ContainerNode.cpp:681
#17 0x00007fffea690fc0 in blink::Node::remove (this=0x3a8a1f324aa8, exception_state=...) at ../../third_party/WebKit/Source/core/dom/Node.cpp:583
#18 0x00007fffea6d28dc in blink::Range::insertNode (this=0x1aec1b35cee8, new_node=0x3a8a1f324aa8, exception_state=...)
    at ../../third_party/WebKit/Source/core/dom/Range.cpp:943
#19 0x00007fffeb99c122 in blink::RangeV8Internal::insertNodeMethod (info=...) at gen/blink/bindings/core/v8/V8Range.cpp:443
#20 0x00007fffeb99bdf2 in blink::V8Range::insertNodeMethodCallback (info=...) at gen/blink/bindings/core/v8/V8Range.cpp:728
#21 0x00007fffecce5cf2 in v8::internal::FunctionCallbackArguments::Call (this=0x7fffffff3d78, 
    f=0x7fffeb99bdc0 <blink::V8Range::insertNodeMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&)>) at ../../v8/src/api-arguments.cc:25
#22 0x00007fffecdc27f6 in v8::internal::(anonymous namespace)::HandleApiCallHelper<false> (isolate=0x29096b722020, function=..., new_target=..., fun_data=..., 
    receiver=..., args=...) at ../../v8/src/builtins/builtins-api.cc:112
#23 0x00007fffecdc1129 in v8::internal::Builtin_Impl_HandleApiCall (args=..., isolate=0x29096b722020) at ../../v8/src/builtins/builtins-api.cc:142

ClusterFuzz has detected this issue as fixed in range 490547:490630.

Detailed report: https://clusterfuzz.com/testcase?key=4651086299529216

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: Null-dereference
Crash Address: 0x0000004f
Crash State:
  WTF::HashTable<int,int,WTF::IdentityExtractor,WTF::IntHash<unsigned int>,WTF::Ha
  blink::AXObjectCacheImpl::GenerateAXID
  blink::AXObjectCacheImpl::GetOrCreateAXID
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=483471:483525
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=490547:490630

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4651086299529216


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4651086299529216 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.