Not really actionable from the V8 side. Seems to be more a bindings issue. In debug mode this hits the following assertion ...

$ ./out/Default/content_shell --run-layout-test ~/Downloads/ClusterFuzz/clusterfuzz-testcase-minimized-5364568900763648/fast/forms/select-popup/fuzz-285-popup-menu-ax.html

#
# Fatal error in ../../v8/src/isolate.cc, line 1752
# Debug check failed: AllowExceptions::IsAllowed(this).
#
#0 0x7f9e27daf32d base::debug::StackTrace::StackTrace()
#1 0x7f9e27dad6fc base::debug::StackTrace::StackTrace()
#2 0x7f9e22d7c8f7 gin::(anonymous namespace)::PrintStackTrace()
#3 0x7f9e13a87f4c V8_Fatal()
#4 0x7f9e226f3ae7 v8::internal::Isolate::ReportPendingMessages()
#5 0x7f9e221ab6a6 v8::internal::ApiNatives::InstantiateObject()
#6 0x7f9e22286aad v8::internal::Genesis::ConfigureApiObject()
#7 0x7f9e2228680e v8::internal::Genesis::ConfigureGlobalObjects()
#8 0x7f9e222875a7 v8::internal::Genesis::Genesis()
#9 0x7f9e2226dee3 v8::internal::Bootstrapper::CreateEnvironment()
#10 0x7f9e221e8a9f v8::NewContext()
#11 0x7f9e221b18bf v8::Context::New()
#12 0x7f9e1f4b2f27 blink::LocalWindowProxy::CreateContext()
#13 0x7f9e1f4b2511 blink::LocalWindowProxy::Initialize()

Somewhat simplified repro ...

<style>
#dom-fuzz-69140001 {
    -webkit-writing-mode: vertical-rl;
}
</style>
<body id="dom-fuzz-69140001">
<script>
window.accessibilityController.setNotificationListener(function() {
});
</script>

Triaging to Accessibility due to presence of window.accessibilityController in the repro case from comment #2.

I did not detect the root cause, but it reproduces also on revision 488528 (ff259bab28b35d242e10186cd63af7ed404fae0d) on Linux, so it does not depend on the snapshot feature.


#
# Fatal error in ../../v8/src/isolate.cc, line 1747
# Debug check failed: AllowExceptions::IsAllowed(this).
#
#0 0x000001a64147 base::debug::StackTrace::StackTrace()
#1 0x00000319bb95 gin::(anonymous namespace)::PrintStackTrace()
#2 0x00000301c0dd V8_Fatal()
#3 0x000000e36cc7 v8::internal::Isolate::ReportPendingMessages()
#4 0x00000097649d v8::internal::ApiNatives::InstantiateObject()
#5 0x000000a34d24 v8::internal::Genesis::ConfigureApiObject()
#6 0x000000a34a8d v8::internal::Genesis::ConfigureGlobalObjects()
#7 0x000000a357b8 v8::internal::Genesis::Genesis()
#8 0x000000a1d45e v8::internal::Bootstrapper::CreateEnvironment()
#9 0x0000009a28da v8::NewContext()
#10 0x00000097abcd v8::Context::New()
#11 0x0000046990e6 blink::LocalWindowProxy::CreateContext()
#12 0x000004698882 blink::LocalWindowProxy::Initialize()
#13 0x00000469a078 blink::LocalWindowProxy::UpdateDocument()
#14 0x00000469f365 blink::ScriptController::UpdateDocument()
#15 0x000003555f42 blink::LocalDOMWindow::InstallNewDocument()
#16 0x0000039ec1c2 blink::DocumentLoader::InstallNewDocument()

with more simplified test case;

<style>
#a {
  -webkit-writing-mode: vertical-rl;
}
</style>
<body id="a">
<script>
window.accessibilityController.setNotificationListener(function() {});
</script>
</body>

what is the exception being thrown?

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

ClusterFuzz has detected this issue as fixed in range 510178:510268.

Detailed report: https://clusterfuzz.com/testcase?key=5364568900763648

Fuzzer: ochang_domfuzzer
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000000
Crash State:
  v8::internal::Runtime::GetObjectProperty
  v8::Object::Get
  blink::V8ContextSnapshot::InstallRuntimeEnabledFeatures
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=496287:496311
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=510178:510268

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5364568900763648

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5364568900763648 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 777134  has been merged into this issue.

#7; Oops, I missed your message.
It seems an error (JSError), but I can't figure out its details.
Could you check it, or let me know how I can dig into it?

 Issue 778930  has been merged into this issue.

 Issue 780901  has been merged into this issue.

 Issue 791335  has been merged into this issue.

This issue seems fixed.

ClusterFuzz testcase 5359449622708224 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.