This doesn't happen now, but will happen once Fady's CL lands.
https://chromium-review.googlesource.com/c/chromium/src/+/881831

This happens occasionally even without my patch FWIW. Maybe less frequently. I believe the problem is we are modifying compositing layers during the layout phase.

What does "kill all the OOPIFs mean?

Open the task manager and kill all the processes that render OOPIFs.

Can you reproduce this reliably? I can't reproduce it at ToT on Linux
with --site-per-process.

http://slashdot.org right?

Yes. I could reproduce this very reliably. I don't have access to my workstation right now, but I can get back to you on Monday.

I was able to repro this without any trouble also. It might be worth mentioning explicitly that it is the main frame's renderer that crashes here, not the OOPIF renderer.

When an OOPIF process goes down, the main frame gets a notification and ChildFrameCompositingHelper::ChildFrameGone() adds a layer with a sad face graphic to replace the now-crashed iframe. This crash seems to happen in a subsequent BeginFrame.

fsamuel@ (re Comment #2): How would we be modifying compositing layers during layout?

This doesn't happen to me as often as before. It's very random now. Now I also get it when the OOPIFs are not killed just by scrolling down the page.

OK, seems like a better way to hit this dcheck is just zooming in/out on slashdot.

I still can't reproduce. Ctrl-+/- zooming on slashdot.org does not crash for me
on this DCHECK.

Are you using the --site-per-process flag?

Yes.

Testing at ToT on Linux.

I can now reproduce this bug with a similar stack trace:

#3 0x7fac12ebf34a blink::PaintLayer::GetCompositedLayerMapping()
#4 0x7fac12ee37df blink::PaintLayerScrollableArea::LayerForScrolling()
#5 0x7fac100adecd blink::ScrollableArea::LayerForContainer()
#6 0x7fac12e52ad0 blink::TopDocumentRootScrollerController::RootContainerLayer()
#7 0x7fac12480e64 blink::WebViewImpl::RegisterViewportLayersWithCompositor()
#8 0x7fac12de933e blink::ChromeClientImpl::RegisterViewportLayers()
#9 0x7fac12e5265b blink::TopDocumentRootScrollerController::DidUpdateCompositing()
#10 0x7fac125586b9 blink::LocalFrameView::UpdateLifecyclePhasesInternal()
#11 0x7fac12557b22 blink::LocalFrameView::UpdateAllLifecyclePhases()
#12 0x7fac12e1406b blink::PageAnimator::UpdateAllLifecyclePhases()
#13 0x7fac12e1991c blink::PageWidgetDelegate::UpdateLifecycle()
#14 0x7fac12479fa8 blink::WebViewImpl::UpdateLifecycle()
#15 0x7fac125ee1f7 blink::WebViewFrameWidget::UpdateLifecycle()
#16 0x7fac21fca416 content::RenderWidget::UpdateVisualState()
#17 0x7fac21db6c80 content::RenderWidgetCompositor::UpdateLayerTreeHost()
#18 0x7fac1dff3d70 cc::LayerTreeHost::RequestMainFrameUpdate()
#19 0x7fac1e0e63bc cc::ProxyMain::BeginMainFrame()

The lifecycle is reset to kLayoutClean after compositing is done and before the top-scroller code
runs, via calls like this stack trace fragment:

#2 0x7f0ad57852b6 blink::PaintLayerCompositor::SetNeedsCompositingUpdate()
#3 0x7f0ad56cb5d4 blink::PaintLayer::SetNeedsCompositingInputsUpdateInternal()
#4 0x7f0ad56cdbb9 blink::PaintLayer::SetNeedsCompositingInputsUpdate()
#5 0x7f0ad497c4ee blink::Element::SetNeedsCompositingUpdate()
#6 0x7f0ad4d9ffb8 blink::RemoteFrame::SetWebLayer()
#7 0x7f0ad4c66454 blink::WebRemoteFrameImpl::SetWebLayer()
#8 0x7f0ae4778baf content::RenderFrameProxy::SetLayer()
#9 0x7f0ae45370bd content::ChildFrameCompositingHelper::ChildFrameGone()
#10 0x7f0ae47782b3 content::RenderFrameProxy::FrameRectsChanged()
#11 0x7f0ad4da12da blink::RemoteFrameClientImpl::FrameRectsChanged()
#12 0x7f0ad4da2732 blink::RemoteFrameView::FrameRectsChanged()

The stack trace in comment 19 is caused by the CL that is referenced in comment 1, resizing the PictureImageLayer with the sad face graphic during layout.

In comment 2 Fady says there were existing ways to hit that, but I don't see any other way that ChildFrameCompositingHelper::ChildFrameGone() can be invoked during layout.

Is a simple solution to this just to defer the call to ChildFrameGone()?

I think we might be able to move the FrameRectsChanged callback to happen
before the compositing step and after layout. That would fix this assert.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99de1525627bf096c0f0fe85a8cf2c81405a2463

commit 99de1525627bf096c0f0fe85a8cf2c81405a2463
Author: Chris Harrelson <chrishtr@chromium.org>
Date: Fri Mar 30 22:50:40 2018

[OOPIF] Move NotifyFrameRectsChangedIfNeededRecursive before compositing

The inputs to NotifyFrameRectsChangedIfNeededRecursive only
need layout information, not compositing. Also, some of them might
want to dirty compositing state due to the change (RemoteFrame in
particular).

Bug:  809701 
Change-Id: Ie029f3eafcbad2af125d6138d1de908561c9ca90
Reviewed-on: https://chromium-review.googlesource.com/986888
Reviewed-by: Stefan Zager <szager@chromium.org>
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#547300}
[modify] https://crrev.com/99de1525627bf096c0f0fe85a8cf2c81405a2463/third_party/WebKit/Source/core/frame/LocalFrameView.cpp

 Issue 826694  has been merged into this issue.