Using the provided regression range assigning to the possible suspect as per the change made for the files, “CSSLazyPropertyParserImpl.cpp and CSSLazyParsingState.cpp”
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/100f27a3bb5677b0205106a154f26365c27e785f
@nainar  -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thanks!

Issue 774346 has been merged into this issue.

Users experienced this crash on the following builds:

Mac Canary 63.0.3238.0 -  0.46 CPM, 2 reports, 2 clients (signature blink::CSSLazyParsingState::GetStyleEngine)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

There are different magic signature variants of this seen in M-63.

1. Chrome_Mac: Crash Report - blink::CSSLazyParsingState::GetStyleEngine, Issue 774346.
2. blink::CSSLazyPropertyParserImpl::ParseProperties. Link to the crash: https://goto.google.com/hfyxu

Friendly ping for an update on this.

I have a fix out for this: https://chromium-review.googlesource.com/c/chromium/src/+/722579

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b30a67726d61312f337145310c81678c8e0ab20d

commit b30a67726d61312f337145310c81678c8e0ab20d
Author: Naina Raisinghani <nainar@chromium.org>
Date: Tue Oct 17 10:48:51 2017

Only copy parsed properties over when mutating a rule.

Currently when we copy over a StyleRule we parse all proeprties
greedily. This should only be the already parsed properties. The greedy
method may result in a dangerous state.

This is a speculative fix for the ClusterFuzz issue.

Bug:  774061 
Change-Id: I0b7f09018c7cf2d8ca75ea5d705016fbcce6f0ae
Reviewed-on: https://chromium-review.googlesource.com/722579
Reviewed-by: Darren Shen <shend@chromium.org>
Commit-Queue: nainar <nainar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509352}
[add] https://crrev.com/b30a67726d61312f337145310c81678c8e0ab20d/third_party/WebKit/LayoutTests/fast/css/lazy-parsing-delete-rule-crash.html
[add] https://crrev.com/b30a67726d61312f337145310c81678c8e0ab20d/third_party/WebKit/LayoutTests/fast/css/resources/lazy-pasing-delete-rule-crash.css
[modify] https://crrev.com/b30a67726d61312f337145310c81678c8e0ab20d/third_party/WebKit/Source/core/css/StyleRule.cpp

Users experienced this crash on the following builds:

Win Canary 64.0.3241.0 -  3.05 CPM, 25 reports, 22 clients (signature blink::CSSLazyPropertyParserImpl::ParseProperties)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This is the #1 crash in latest canary. We will verify in today's canary with the fix.

If the crash is fixed,you may need to merger to M63 as well.

This crash has high impact on Chrome's stability.
Signature: blink::CSSLazyPropertyParserImpl::ParseProperties.
Channel: canary. Platform: win.
Labeling  issue 774061  with ReleaseBlock-Dev.


If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

#10 - why is something that is behind a flag that is turned on for Finch. Unless we have accidentally turned on Finch for a 100% of our canary population this shouldn't be an issue.  

ClusterFuzz has detected this issue as fixed in range 509326:509389.

Detailed report: https://clusterfuzz.com/testcase?key=5024280348983296

Fuzzer: inferno_twister
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000003ec
Crash State:
  blink::CSSLazyParsingState::GetStyleEngine
  blink::CSSLazyPropertyParserImpl::ParseProperties
  blink::StyleRule::StyleRule
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=504327:504346
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=509326:509389

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5024280348983296

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5024280348983296 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Opening again and removing merge-request label since I am reverting the CL. 

will reland a new fix by EoD SYD time

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c6dfaf800108be95ccd9c5c8cb73bed66e80ba1f

commit c6dfaf800108be95ccd9c5c8cb73bed66e80ba1f
Author: nainar <nainar@chromium.org>
Date: Thu Oct 19 00:26:27 2017

Revert "Only copy parsed properties over when mutating a rule."

This reverts commit b30a67726d61312f337145310c81678c8e0ab20d.

Reason for revert: Not a stable enough change as it causes  crbug.com/775922 

Original change's description:
> Only copy parsed properties over when mutating a rule.
> 
> Currently when we copy over a StyleRule we parse all proeprties
> greedily. This should only be the already parsed properties. The greedy
> method may result in a dangerous state.
> 
> This is a speculative fix for the ClusterFuzz issue.
> 
> Bug:  774061 
> Change-Id: I0b7f09018c7cf2d8ca75ea5d705016fbcce6f0ae
> Reviewed-on: https://chromium-review.googlesource.com/722579
> Reviewed-by: Darren Shen <shend@chromium.org>
> Commit-Queue: nainar <nainar@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#509352}

TBR=nainar@chromium.org,shend@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  774061 ,  775922 
Change-Id: I49f536965359f14793eba4f952d216a04dd07df6
Reviewed-on: https://chromium-review.googlesource.com/726679
Reviewed-by: nainar <nainar@chromium.org>
Commit-Queue: nainar <nainar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509941}
[delete] https://crrev.com/9e77a8ed0f573731a9e4b8376d188541b989eb70/third_party/WebKit/LayoutTests/fast/css/lazy-parsing-delete-rule-crash.html
[delete] https://crrev.com/9e77a8ed0f573731a9e4b8376d188541b989eb70/third_party/WebKit/LayoutTests/fast/css/resources/lazy-pasing-delete-rule-crash.css
[modify] https://crrev.com/c6dfaf800108be95ccd9c5c8cb73bed66e80ba1f/third_party/WebKit/Source/core/css/StyleRule.cpp

Removing the Dev blocker label for M63 as the crash instances are not seen on latest Dev Build # 63.0.3239.9	

Magic Signature:'blink::CSSLazyParsingState::GetStyleEngine'

https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ACSSLazyParsingState%3A%3AGetStyleEngine%27%20AND%20product.name%3D%27Chrome_Mac%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#-samplereports

Magic Signature: 'blink::CSSLazyPropertyParserImpl::ParseProperties'

https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ACSSLazyPropertyParserImpl%3A%3AParseProperties%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20product.name%3D%27Chrome%27&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#-samplereports

Marking it for M64 as per # 12, as the Finch has been turned on for Canary.

Shoudl the ReleaseBlock-Dev be removed too then?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7aa7dab403ad24848afa2dfa57cb344427b31a8d

commit 7aa7dab403ad24848afa2dfa57cb344427b31a8d
Author: Naina Raisinghani <nainar@google.com>
Date: Sat Oct 21 23:27:46 2017

Revert implementing Lazy Parsing for Pseudo attributes (before/after)

This is due to the change being crashy

Revert CSS Parser: Lazy Parsing for Pseudo attributes (before/after)

Revert Move has_before_or_after_ from CSSLazyParsingState to CSSLazyPropertyParserImpl

TBR= shend@chromium.org

Bug:  774061 
Change-Id: I529f56c8751b11305cc23d506b8d4f4df476ae2a
Reviewed-on: https://chromium-review.googlesource.com/729600
Commit-Queue: nainar <nainar@chromium.org>
Reviewed-by: nainar <nainar@chromium.org>
Cr-Commit-Position: refs/heads/master@{#510696}
[delete] https://crrev.com/bb354ab52392a11204cd3fc2d443d6ba5cbb87ed/third_party/WebKit/LayoutTests/fast/css/lazy-parsing-pseudo-attribute.html
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/RuleFeature.cpp
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/RuleFeature.h
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/RuleSet.h
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/StyleEngine.h
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/StylePropertySet.h
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/StyleRule.h
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/parser/CSSLazyParsingState.cpp
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/parser/CSSLazyParsingState.h
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/parser/CSSLazyParsingTest.cpp
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/parser/CSSLazyPropertyParserImpl.cpp
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/parser/CSSLazyPropertyParserImpl.h
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp
[modify] https://crrev.com/7aa7dab403ad24848afa2dfa57cb344427b31a8d/third_party/WebKit/Source/core/dom/Document.cpp

This bug requires manual review: Reverts referenced in bugdroid comments after merge request.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

nainar@, could you please confirm which change you're requesting a merge to M63 for? 
Als0 as per comment #18 M63 merge may not be needed. Could you ptal and confirm merge is indeed needed and will it be a safe merge? Thank you.

I was requesting a merge for the CL in comment 20. Sorry for being unclear
You are right we can do without a merge since it is hidden behing experimental-web-platform-features but in case someone has the flag turned on I want to be safe than sorry. 

It is a safe merge since it is a revert only. No fix.

No worries and Thank you.

Approving merge for CL listed at #20 to M63 branch 3239. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8

commit 243e0ebdc75cb7c74afe6c70c501aaedd3f949e8
Author: Naina Raisinghani <nainar@google.com>
Date: Mon Oct 23 04:12:36 2017

Revert implementing Lazy Parsing for Pseudo attributes (before/after)

This is due to the change being crashy

Revert CSS Parser: Lazy Parsing for Pseudo attributes (before/after)

Revert Move has_before_or_after_ from CSSLazyParsingState to CSSLazyPropertyParserImpl

TBR=nainar@google.com, shend@chromium.org

(cherry picked from commit 7aa7dab403ad24848afa2dfa57cb344427b31a8d)

Bug:  774061 
Change-Id: I529f56c8751b11305cc23d506b8d4f4df476ae2a
Reviewed-on: https://chromium-review.googlesource.com/729600
Commit-Queue: nainar <nainar@chromium.org>
Reviewed-by: nainar <nainar@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#510696}
Reviewed-on: https://chromium-review.googlesource.com/732732
Cr-Commit-Position: refs/branch-heads/3239@{#143}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[delete] https://crrev.com/114b82b05c6ce4bcbcc7c92f7ddd97dc14d7b1e5/third_party/WebKit/LayoutTests/fast/css/lazy-parsing-pseudo-attribute.html
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/RuleFeature.cpp
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/RuleFeature.h
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/RuleSet.h
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/StyleEngine.h
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/StylePropertySet.h
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/StyleRule.h
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/parser/CSSLazyParsingState.cpp
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/parser/CSSLazyParsingState.h
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/parser/CSSLazyParsingTest.cpp
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/parser/CSSLazyPropertyParserImpl.cpp
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/parser/CSSLazyPropertyParserImpl.h
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp
[modify] https://crrev.com/243e0ebdc75cb7c74afe6c70c501aaedd3f949e8/third_party/WebKit/Source/core/dom/Document.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c298e7c357bcbc2554fe5d132da15566c028b8ff

commit c298e7c357bcbc2554fe5d132da15566c028b8ff
Author: Dmitry Gozman <dgozman@chromium.org>
Date: Tue Oct 24 18:29:08 2017

Revert "Revert implementing Lazy Parsing for Pseudo attributes (before/after)"

This reverts commit 243e0ebdc75cb7c74afe6c70c501aaedd3f949e8.

Reason for revert: crashes DevTools on any site. See  crbug.com/777720 .
Bug:  777720 

Original change's description:
> Revert implementing Lazy Parsing for Pseudo attributes (before/after)
> 
> This is due to the change being crashy
> 
> Revert CSS Parser: Lazy Parsing for Pseudo attributes (before/after)
> 
> Revert Move has_before_or_after_ from CSSLazyParsingState to CSSLazyPropertyParserImpl
> 
> TBR=nainar@google.com, shend@chromium.org
> 
> (cherry picked from commit 7aa7dab403ad24848afa2dfa57cb344427b31a8d)
> 
> Bug:  774061 
> Change-Id: I529f56c8751b11305cc23d506b8d4f4df476ae2a
> Reviewed-on: https://chromium-review.googlesource.com/729600
> Commit-Queue: nainar <nainar@chromium.org>
> Reviewed-by: nainar <nainar@chromium.org>
> Cr-Original-Commit-Position: refs/heads/master@{#510696}
> Reviewed-on: https://chromium-review.googlesource.com/732732
> Cr-Commit-Position: refs/branch-heads/3239@{#143}
> Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}

TBR=nainar@chromium.org,shend@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  774061 
Change-Id: I9383956cec272b8fea8dc694902e1581514f1ab9
Reviewed-on: https://chromium-review.googlesource.com/734665
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239@{#182}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[add] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/LayoutTests/fast/css/lazy-parsing-pseudo-attribute.html
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/RuleFeature.cpp
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/RuleFeature.h
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/RuleSet.h
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/StyleEngine.h
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/StylePropertySet.h
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/StyleRule.h
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/parser/CSSLazyParsingState.cpp
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/parser/CSSLazyParsingState.h
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/parser/CSSLazyParsingTest.cpp
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/parser/CSSLazyPropertyParserImpl.cpp
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/parser/CSSLazyPropertyParserImpl.h
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp
[modify] https://crrev.com/c298e7c357bcbc2554fe5d132da15566c028b8ff/third_party/WebKit/Source/core/dom/Document.cpp

I am reopening this, since I reverted the fix from #c26 from the M63 branch due to sever crash. See  issue 777720 .

Given we can do without a merge since it is hidden behing experimental-web-platform-features. And the fix has landed in 64 which has the Finch experiment I am going to retain this as Fixed.