This crash occurs very frequently on mac and windows platforms and is likely preventing the fuzzer marty_html_twiddler from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/ed7a56654a501f4764b5df1fb06f984b0650050b (Introduce StyleTraversalRoot for invalidate/recalc/rebuild.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

https://chromium-review.googlesource.com/c/chromium/src/+/1228133

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e13946a963f7423afa16291b7d8e033a79a27573

commit e13946a963f7423afa16291b7d8e033a79a27573
Author: Rune Lillesveen <futhark@chromium.org>
Date: Mon Sep 17 14:31:52 2018

StyleInvalidationRoot::RootElement may be null.

It's possible to have sibling invalidation sets rescheduled on the
document node when removing the document root if the document root has a
sibling, for instance a processing instruction. Let the style
invalidator handle a null RootElement().

Bug:  884289 
Change-Id: If2e07ac81263fc85cc33e1c89ea4e3c32908ef68
Reviewed-on: https://chromium-review.googlesource.com/1228133
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Reviewed-by: Anders Ruud <andruud@chromium.org>
Cr-Commit-Position: refs/heads/master@{#591669}
[add] https://crrev.com/e13946a963f7423afa16291b7d8e033a79a27573/third_party/WebKit/LayoutTests/fast/css/invalidation/reschedule-on-document-crash.html
[modify] https://crrev.com/e13946a963f7423afa16291b7d8e033a79a27573/third_party/blink/renderer/core/css/invalidation/style_invalidator.cc
[modify] https://crrev.com/e13946a963f7423afa16291b7d8e033a79a27573/third_party/blink/renderer/core/css/invalidation/style_invalidator.h
[modify] https://crrev.com/e13946a963f7423afa16291b7d8e033a79a27573/third_party/blink/renderer/core/css/style_engine.cc
[modify] https://crrev.com/e13946a963f7423afa16291b7d8e033a79a27573/third_party/blink/renderer/core/css/style_invalidation_root.cc
[modify] https://crrev.com/e13946a963f7423afa16291b7d8e033a79a27573/third_party/blink/renderer/core/css/style_invalidation_root.h

 Issue 884460  has been merged into this issue.

ClusterFuzz testcase 6043132771434496 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 591668:591669.

Detailed report: https://clusterfuzz.com/testcase?key=6002493656662016

Fuzzer: marty_html_twiddler
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::StyleInvalidator::Invalidate
  blink::StyleEngine::InvalidateStyle
  blink::Document::UpdateStyleInvalidationIfNeeded
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=591303:591304
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=591668:591669

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6002493656662016

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.