I can repro on 66.0.3326.0 Linux, have not tried other platforms. Also attaching minimal repro again (removed an unnecessary call to document.body.appendChild).

Deleted: test.html 332 bytes

test.html 332 bytes View Download

Looks like the crashing point is related to inertness handling.
Routing to accessibility people, and removing Shadow DOM / <iframe>
as it is not very relevant.

@kochi: The stacktrace indeed points within the inertness handling code, but it is only reproducable when Shadow DOM and an iframe are used. Was not able to find a minimal repro example without involving these.

dpapad@ right, but Shadow DOM or iframe is just a part of DOM, inertness handling
has to take care of these.  So I think the primary responsibility for the code
is on accessibility.

Dominic or Alice, feel free to assign back to Shadow DOM people.

Any updates here? This is affecting Chrome's own new Print Preview UI (--enable-features=NewPrintPreview). I would appreciate if someone take a look or suggest a better Blink component for this bug. Thanks

I remember that there was an attempt to fix a crash which IsInnert() would cause, due to the wrong assumption of distribution's dirtiness.
See https://chromium-review.googlesource.com/c/chromium/src/+/566341

It looks that is not fixed yet.

BTW, I am working on incremental shadow dom, which will remove this kind of painful points from us.
http://goto/incremental-shadow-dom 

I've confirmed that Incremental Shadow DOM actually fixes this.
That is a great news for us.

So once we land IncrementalShadowDOM, let me close this issue.

This is still broken in 69.0.3452.0 for Print Preview, although the test case above seems to be fixed. New minimal example attached & pasted below, should I re-open this or open a new bug? It is the same DCHECK, but requires a slightly more complicated case to reproduce.

<template id="dialog">
  <custom-dialog></custom-dialog>
</template>
 
<button on-click="onButtonClick_">Show dialog</button>
<div></div>
<iframe></iframe>
 
<script>
  var customDialogProto = Object.create(HTMLElement.prototype);
  customDialogProto.createdCallback = function() {
    const shadowRoot = this.createShadowRoot();
    shadowRoot.innerHTML = '<dialog></dialog>';
  };
 
  customDialogProto.show = function() {
    this.shadowRoot.querySelector('dialog').showModal();
  };
 
  document.registerElement('custom-dialog', { prototype: customDialogProto });
 
  const b = document.body.querySelector('button');
  b.addEventListener('click', () => {
    const dialogTemplate = document.querySelector('#dialog');
    const d = document.importNode(dialogTemplate.content, true);
    const dialog = d.querySelector('custom-dialog');
    document.querySelector('div').appendChild(d);
    dialog.show();
  });
</script>

Deleted: bug804047.html 919 bytes

bug804047.html 919 bytes View Download

Re-opening to make sure this gets some attention.

Let me make this available.
I guess IsInert (or other code) violates the assumption of using FlatTreeTraversal.

I remember aboxhall@ tried to fix a similar bug in https://chromium-review.googlesource.com/c/chromium/src/+/566341. That might be related.

aboxhall, could you work on this?
It looks isInert is using FlatTreeTraversal without updating distribution, which violates the pre-condition of using FlatTreeTraversal.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ae2fcf0ef323eb487edced1ab876a090b3f9ce1e

commit ae2fcf0ef323eb487edced1ab876a090b3f9ce1e
Author: Noel Gordon <noel@chromium.org>
Date: Fri Oct 12 07:04:47 2018

Add Quick View audio load test

Now we have the QuickView <webview> infra to detect the 'loaded' state
of the <webview> content, add a <file-safe-media> audio test, and also
check the <webview> renders its content on a transparent black body.

This test exposed an issue in Blink node code. When the modal <dialog>
is calling showModal(), its flat tree distribution can be out-of-date,
causing a DCHECK crash when testing if the Quick View <dialog> element
contains sibling <iframe id="command-dispatcher"> [1].

Fix that: FlatTreeTraversal::ContainsIncludingPseudoElement() requires
that its node arguments have up-to-date flat tree distribution. Ensure
the <dialog>'s flat tree distribution is up-of-date _before_ trying to
propagate the "inert" bit into sub-frames.

Add crash test: html/dialog/showmodal-shadow-sibling-frame-crash.html

[1] Known crash reports already exist: issue 789094  issue 804047 .

test: browser_tests --gtest_filter="QuickView*openQuickViewAudio"
Bug:  891150 , 789094,  804047 
Change-Id: I714585272fc775c157f6d0bd97143af27bf2b961
Reviewed-on: https://chromium-review.googlesource.com/c/1264138
Commit-Queue: Noel Gordon <noel@chromium.org>
Reviewed-by: Hayato Ito <hayato@chromium.org>
Reviewed-by: Luciano Pacheco <lucmult@chromium.org>
Cr-Commit-Position: refs/heads/master@{#599125}
[modify] https://crrev.com/ae2fcf0ef323eb487edced1ab876a090b3f9ce1e/chrome/browser/chromeos/file_manager/file_manager_browsertest.cc
[add] https://crrev.com/ae2fcf0ef323eb487edced1ab876a090b3f9ce1e/third_party/WebKit/LayoutTests/html/dialog/showmodal-shadow-sibling-frame-crash-expected.txt
[add] https://crrev.com/ae2fcf0ef323eb487edced1ab876a090b3f9ce1e/third_party/WebKit/LayoutTests/html/dialog/showmodal-shadow-sibling-frame-crash.html
[modify] https://crrev.com/ae2fcf0ef323eb487edced1ab876a090b3f9ce1e/third_party/blink/renderer/core/html/html_dialog_element.cc
[modify] https://crrev.com/ae2fcf0ef323eb487edced1ab876a090b3f9ce1e/ui/file_manager/integration_tests/file_manager/quick_view.js

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4052e809d3bb03478e56c341cc877e49eed96225

commit 4052e809d3bb03478e56c341cc877e49eed96225
Author: Noel Gordon <noel@chromium.org>
Date: Sat Oct 13 00:18:09 2018

Partially back-off CL:1264138 to use the fix in CL:823582

CL:823582 used ForceLayoutForCentering() which updates the dialog flat
tree distribution as a side-effect. Hence, the forced dialog flat tree
distribution update in CL:1264138 is now redundant and can be removed.

Covered by layout tests:
  html/dialog/showmodal-shadow-sibling-frame-crash.html
  html/dialog/dialog-show-modal-inert-crash.html

Covered by Chrome OS browser test:
  browser_tests --gtest_filter="QuickView*openQuickViewAudio"

Tbr: hayato-san
Bug:  891150 , 789094,  804047 
Change-Id: I84f5e0d29aab2c8956b689bb713a9c383471aa80
Reviewed-on: https://chromium-review.googlesource.com/c/1278075
Commit-Queue: Noel Gordon <noel@chromium.org>
Reviewed-by: Dominic Mazzoni <dmazzoni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#599436}
[modify] https://crrev.com/4052e809d3bb03478e56c341cc877e49eed96225/third_party/blink/renderer/core/html/html_dialog_element.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b275fdf7b833eb58807c628a7e663bda7fd98cab

commit b275fdf7b833eb58807c628a7e663bda7fd98cab
Author: Noel Gordon <noel@chromium.org>
Date: Mon Oct 15 04:56:18 2018

Update html/dialog/showmodal-shadow-sibling-frame-crash.html

Convert this test to a testharness test. With CL:823582 this test does
not crash, and does crash prior to that change.

Note: this test uses shadomDOM V0 registerElement and createShadowRoot
since the crash does not reproduce when using shadowDOM V1 methods.

Bug: 789094,  804047 
Change-Id: Ia65c2f75b805ed99a7401d5b64110601f917a5d7
Reviewed-on: https://chromium-review.googlesource.com/c/1278456
Reviewed-by: Hayato Ito <hayato@chromium.org>
Reviewed-by: Alan Cutter <alancutter@chromium.org>
Commit-Queue: Noel Gordon <noel@chromium.org>
Cr-Commit-Position: refs/heads/master@{#599566}
[delete] https://crrev.com/beb96b18d42739814889166ca1c96c4b27000771/third_party/WebKit/LayoutTests/html/dialog/showmodal-shadow-sibling-frame-crash-expected.txt
[modify] https://crrev.com/b275fdf7b833eb58807c628a7e663bda7fd98cab/third_party/WebKit/LayoutTests/html/dialog/showmodal-shadow-sibling-frame-crash.html