Automatically applying components based on crash stacktrace and information from OWNERS files. If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Test Predator has given the following results:

Propagate style to viewport after style recalc. by rune@opera.com
Changelist touched lines near the crashed line in frame #0 blink::Document::PropagateStyleToViewport(enum blink::StyleRecalcChange) (distance = 0 lines away)
Top touched frame is #0 blink::Document::PropagateStyleToViewport(in Document.cpp)
Changed files Document.cpp, Document.h, Element.cpp, StyleEngine.cpp, StyleEngine.h, with the same CrashedDirectory(third_party/WebKit/Source/core/dom) as Document.cpp (in frame#0, frame#1, frame#2, frame#6)
Touched files in stacktrace - Document.cpp
Changed files Document.cpp, Document.h, Element.cpp, StyleEngine.cpp, StyleEngine.h, with the same CrashedComponent(Blink>DOM) as Document.cpp (in frame#0, frame#1, frame#2, frame#6)

@rune -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thank You.

This looks similar to  issue 757585 

https://chromium-review.googlesource.com/c/chromium/src/+/698305

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/396316b0bd382ac8a6e373f2a2b249bde933ebeb

commit 396316b0bd382ac8a6e373f2a2b249bde933ebeb
Author: Rune Lillesveen <rune@opera.com>
Date: Thu Oct 05 21:05:01 2017

Don't update fragment anchor during DOM operations.

We tried to update the fragment anchor position immediately when all
script blocking sheets are removed. As part of that update we do a
style and layout update. The last script blocking sheet may be
removed as part of removing a style element from the DOM. Updating
style and layout in the middle of a DOM operation is not safe.

Instead, update the fragment anchor position during the next safe
lifecycle update. The crash was caused by Document still pointing to a
documentElement being removed while updating the style and layout tree,
but its parent pointer had already been set to null.

Bug:  771088 
Change-Id: Iaaaeece23d795c2e41d31b9fb97fc795eb2b8305
Reviewed-on: https://chromium-review.googlesource.com/698305
Commit-Queue: Rune Lillesveen <rune@opera.com>
Reviewed-by: Steve Kobes <skobes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#506854}
[add] https://crrev.com/396316b0bd382ac8a6e373f2a2b249bde933ebeb/third_party/WebKit/LayoutTests/fast/css/synchronous-hash-update-crash.html
[modify] https://crrev.com/396316b0bd382ac8a6e373f2a2b249bde933ebeb/third_party/WebKit/Source/core/dom/Document.cpp

ClusterFuzz has detected this issue as fixed in range 506834:506865.

Detailed report: https://clusterfuzz.com/testcase?key=6191814662160384

Fuzzer: inferno_twister
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000028
Crash State:
  blink::Document::PropagateStyleToViewport
  blink::Document::UpdateStyle
  blink::Document::UpdateStyleAndLayoutTree
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=493344:493354
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=506834:506865

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6191814662160384

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6191814662160384 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.