Unable to find actual suspect through code search nor from the provided regression range. This issue looks similar to   Issue 784870  , hence assigning it the concern owner.

dcheng@-- Could you please look into this issue?

Thanks!

This is  issue 770615  (which probably shouldn't have been closed). It's because there are still subframes attached at this point, because we only call Shutdown() instead of something like PrepareForCommit(). So transforming any page with subframes crashes instead of working.

I guess we should probably just call DetachChildren() first, but I'm not sure what the spec says about XSLT transforms and if other events should fire. I'll try to find the relevant part of the standards...

ClusterFuzz has detected this issue as fixed in range 542422:542423.

Detailed report: https://clusterfuzz.com/testcase?key=5173980083519488

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !frame_ || frame_->Tree().ChildCount() == 0 in Document.cpp
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=419755:419848
Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=542422:542423

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5173980083519488

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5173980083519488 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The repro is apparently flaky but I don't think this bug has been fixed.

Issue 828294 has been merged into this issue.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.