This crash occurs very frequently on linux, mac and windows platforms and is likely preventing the fuzzer inferno_twister_c from making much progress. Fixing this will allow more bugs to be found.

Marking this bug as a blocker for next Beta release.

If this is incorrect, please add ClusterFuzz-Wrong label and remove the ReleaseBlock-Beta label.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/ed7a56654a501f4764b5df1fb06f984b0650050b (Introduce StyleTraversalRoot for invalidate/recalc/rebuild.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

https://chromium-review.googlesource.com/c/chromium/src/+/1238728

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f76237333778b789b112dfb693a55631a69020bd

commit f76237333778b789b112dfb693a55631a69020bd
Author: Rune Lillesveen <futhark@chromium.org>
Date: Mon Sep 24 12:29:16 2018

Workaround for nested remove for datalists.

Nested removes confuses the style traversal roots. Make this a general
workaround for UA shadow removals.

Bug:  888236 , 888448
Change-Id: Ia0165e7478c96282900a8191eeac18ae34586a2c
Reviewed-on: https://chromium-review.googlesource.com/1238728
Reviewed-by: Anders Ruud <andruud@chromium.org>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593510}
[add] https://crrev.com/f76237333778b789b112dfb693a55631a69020bd/third_party/WebKit/LayoutTests/fast/css/style-traversal-root-datalist-crash.html
[modify] https://crrev.com/f76237333778b789b112dfb693a55631a69020bd/third_party/blink/renderer/core/css/style_engine.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e092f9c13e351034e12388bbb8bd77d922b616e8

commit e092f9c13e351034e12388bbb8bd77d922b616e8
Author: Jeremy Roman <jbroman@chromium.org>
Date: Mon Sep 24 17:50:10 2018

Revert "Workaround for nested remove for datalists."

This reverts commit f76237333778b789b112dfb693a55631a69020bd.

Reason for revert: causes DCHECK failures in external/wpt/html/semantics/embedded-content/media-elements/track/track-element/track-mode-disabled.html

Original change's description:
> Workaround for nested remove for datalists.
> 
> Nested removes confuses the style traversal roots. Make this a general
> workaround for UA shadow removals.
> 
> Bug:  888236 , 888448
> Change-Id: Ia0165e7478c96282900a8191eeac18ae34586a2c
> Reviewed-on: https://chromium-review.googlesource.com/1238728
> Reviewed-by: Anders Ruud <andruud@chromium.org>
> Commit-Queue: Rune Lillesveen <futhark@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#593510}

TBR=futhark@chromium.org,andruud@chromium.org

Change-Id: I843b4cc5d9be74fea13ff43305b0093fd64dcae3
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  888236 , 888448,  888618 
Reviewed-on: https://chromium-review.googlesource.com/1240505
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Commit-Queue: Jeremy Roman <jbroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593592}
[delete] https://crrev.com/a3d55f3d90dab08b9370ee62889525f494e52298/third_party/WebKit/LayoutTests/fast/css/style-traversal-root-datalist-crash.html
[modify] https://crrev.com/e092f9c13e351034e12388bbb8bd77d922b616e8/third_party/blink/renderer/core/css/style_engine.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99d5820dc42f6abfaed253e0d671d274dd8cdb45

commit 99d5820dc42f6abfaed253e0d671d274dd8cdb45
Author: Rune Lillesveen <futhark@chromium.org>
Date: Tue Sep 25 10:33:16 2018

Don't update style traversal roots in nested removes.

Nested removes confuses the style traversal roots. Make this a general
workaround by introducing a scope for detecting when we are in a nested
removal. We tried to do this on a per case basis, but new issues keep
popping up.

Bug:  888236 , 888448
Change-Id: If4373fbfd8a44a218d6e4c81cc4223b0b8ada05c
Reviewed-on: https://chromium-review.googlesource.com/1242905
Reviewed-by: Anders Ruud <andruud@chromium.org>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593885}
[add] https://crrev.com/99d5820dc42f6abfaed253e0d671d274dd8cdb45/third_party/WebKit/LayoutTests/fast/css/style-traversal-root-datalist-crash.html
[modify] https://crrev.com/99d5820dc42f6abfaed253e0d671d274dd8cdb45/third_party/blink/renderer/core/css/style_engine.cc
[modify] https://crrev.com/99d5820dc42f6abfaed253e0d671d274dd8cdb45/third_party/blink/renderer/core/css/style_engine.h
[modify] https://crrev.com/99d5820dc42f6abfaed253e0d671d274dd8cdb45/third_party/blink/renderer/core/dom/container_node.cc

ClusterFuzz has detected this issue as fixed in range 593884:593885.

Detailed report: https://clusterfuzz.com/testcase?key=6270914768142336

Fuzzer: inferno_twister_c
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::StyleInvalidationRoot::RootElement
  blink::StyleEngine::InvalidateStyle
  blink::Document::UpdateStyleInvalidationIfNeeded
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=591303:591304
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_media&range=593884:593885

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6270914768142336

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6270914768142336 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 889414  has been merged into this issue.