Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e733da54f24668cf10b7acd0b8dcaa06250f17d8 (Add size/memory and number of canvas metrics).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

We have a case of marking style dirty from within style recalc:

#0  blink::Node::MarkAncestorsWithChildNeedsStyleRecalc (this=0x2059ac74a770) at ../../third_party/blink/renderer/core/dom/node.cc:1103
#1  0x00007fffe23ef8ed in blink::Node::SetNeedsStyleRecalc (this=0x2059ac74a770, change_type=blink::kLocalStyleChange, reason=...) at ../../third_party/blink/renderer/core/dom/node.cc:1179
#2  0x00007fffe3387f1b in blink::SVGElement::SetNeedsStyleRecalcForInstances (this=0x2059ac7455e0, change_type=blink::kLocalStyleChange, reason=...) at ../../third_party/blink/renderer/core/svg/svg_element.cc:1115
#3  0x00007fffe23ef96f in blink::Node::SetNeedsStyleRecalc (this=0x2059ac7455e0, change_type=blink::kLocalStyleChange, reason=...) at ../../third_party/blink/renderer/core/dom/node.cc:1185
#4  0x00007fffe236fdf7 in blink::Element::SetNeedsAnimationStyleRecalc (this=0x2059ac7455e0) at ../../third_party/blink/renderer/core/dom/element.cc:2554
#5  0x00007fffe1f1ac9b in blink::KeyframeEffect::AttachTarget (this=0x3b708ca14c08, animation=0x3b708ca14d28) at ../../third_party/blink/renderer/core/animation/keyframe_effect.cc:425
#6  0x00007fffe1f1cc9e in blink::KeyframeEffect::Attach (this=0x3b708ca14c08, owner=0x3b708ca14dc0) at ../../third_party/blink/renderer/core/animation/keyframe_effect.cc:412
#7  0x00007fffe1e05fa8 in blink::Animation::Animation (this=0x3b708ca14d28, execution_context=0x2059ac743180, timeline=..., content=0x3b708ca14c08) at ../../third_party/blink/renderer/core/animation/animation.cc:143
#8  0x00007fffe1e058ae in blink::Animation::Create (effect=0x3b708ca14c08, timeline=0x3b708ca5a2f8, exception_state=...) at ../../third_party/blink/renderer/core/animation/animation.cc:83
#9  0x00007fffe1eed186 in blink::DocumentTimeline::Play (this=0x3b708ca5a2f8, child=0x3b708ca14c08) at ../../third_party/blink/renderer/core/animation/document_timeline.cc:108
#10 0x00007fffe1e57f4b in blink::CSSAnimations::MaybeApplyPendingUpdate (this=0x3b708ca13998, element=0x2059ac7455e0) at ../../third_party/blink/renderer/core/animation/css/css_animations.cc:602
#11 0x00007fffe236d512 in blink::Element::StyleForLayoutObject (this=0x2059ac7455e0) at ../../third_party/blink/renderer/core/dom/element.cc:2109
#12 0x00007fffe236e42b in blink::Element::RecalcOwnStyle (this=0x2059ac7455e0, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/element.cc:2296
#13 0x00007fffe236de0e in blink::Element::RecalcStyle (this=0x2059ac7455e0, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/element.cc:2206
#14 0x00007fffe22dab23 in blink::ContainerNode::RecalcDescendantStyles (this=0x2059ac744ab0, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/container_node.cc:1416
#15 0x00007fffe236dfec in blink::Element::RecalcStyle (this=0x2059ac744ab0, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/element.cc:2243
#16 0x00007fffe22dab23 in blink::ContainerNode::RecalcDescendantStyles (this=0x2059ac744908, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/container_node.cc:1416
#17 0x00007fffe236dfec in blink::Element::RecalcStyle (this=0x2059ac744908, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/element.cc:2243
#18 0x00007fffe22dab23 in blink::ContainerNode::RecalcDescendantStyles (this=0x2059ac744058, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/container_node.cc:1416
#19 0x00007fffe236dfec in blink::Element::RecalcStyle (this=0x2059ac744058, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/element.cc:2243
#20 0x00007fffe22dab23 in blink::ContainerNode::RecalcDescendantStyles (this=0x2059ac743fb8, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/container_node.cc:1416
#21 0x00007fffe236dfec in blink::Element::RecalcStyle (this=0x2059ac743fb8, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/element.cc:2243
#22 0x00007fffe22dab23 in blink::ContainerNode::RecalcDescendantStyles (this=0x2059ac743e78, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/container_node.cc:1416
#23 0x00007fffe236dfec in blink::Element::RecalcStyle (this=0x2059ac743e78, change=blink::kInherit) at ../../third_party/blink/renderer/core/dom/element.cc:2243
#24 0x00007fffe2292e23 in blink::StyleEngine::RecalcStyle (this=0x3b708ca5a630, change=blink::kNoChange) at ../../third_party/blink/renderer/core/css/style_engine.cc:1663
#25 0x00007fffe22fe2b0 in blink::Document::UpdateStyle (this=0x2059ac742ff0) at ../../third_party/blink/renderer/core/dom/document.cc:2333
#26 0x00007fffe22f9c8f in blink::Document::UpdateStyleAndLayoutTree (this=0x2059ac742ff0) at ../../third_party/blink/renderer/core/dom/document.cc:2249
#27 0x00007fffe252322b in blink::FrameSelection::FocusedOrActiveStateChanged (this=0x28d5f9d81b48) at ../../third_party/blink/renderer/core/editing/frame_selection.cc:822
#28 0x00007fffe2523517 in blink::FrameSelection::SetFrameIsFocused (this=0x28d5f9d81b48, flag=false) at ../../third_party/blink/renderer/core/editing/frame_selection.cc:851
#29 0x00007fffe30dc02d in blink::FocusController::FocusHasChanged (this=0x28d5f9d81950) at ../../third_party/blink/renderer/core/page/focus_controller.cc:905
(More stack frames follow...)


The regression change-list looks wrong.

https://chromium-review.googlesource.com/c/chromium/src/+/1335602

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6df4c7b6c3b115712668d0d1a1269360c7878a3c

commit 6df4c7b6c3b115712668d0d1a1269360c7878a3c
Author: Rune Lillesveen <futhark@chromium.org>
Date: Fri Nov 16 09:53:30 2018

Don't mark style dirty from style recalc for animations.

There is no point in marking an element style dirty while we are
recalculating style for it. For SVG elements which are referenced
through <use> elements we even mark the instances style-dirty which
caused a problem in  issue 904381  because the <use> instance was outside
of the sub-tree rooted at the recalc root, causing the tree to be still
style-dirty after UpdateStyle.

Bug:  904381 
Change-Id: If5e487783668e9d411ff721fd60e80fa7f1a8313
Reviewed-on: https://chromium-review.googlesource.com/c/1335602
Reviewed-by: Fredrik Söderquist <fs@opera.com>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#608712}
[add] https://crrev.com/6df4c7b6c3b115712668d0d1a1269360c7878a3c/third_party/WebKit/LayoutTests/animations/svg-use-animation-crash.html
[modify] https://crrev.com/6df4c7b6c3b115712668d0d1a1269360c7878a3c/third_party/blink/renderer/core/dom/element.cc

ClusterFuzz has detected this issue as fixed in range 608711:608713.

Detailed report: https://clusterfuzz.com/testcase?key=5767148657704960

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::StyleRecalcRoot::RootElement
  blink::StyleEngine::RecalcStyle
  blink::Document::UpdateStyle
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=602781:602790
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=608711:608713

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5767148657704960

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5767148657704960 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.