There is another problem with the change that caused the regression that I didn't notice during the review.
Specifically, if we call cancel() immediately after start(), there will be a different crash because now attachToRequest is changed to be executed asynchronously and holds on to a raw pointer to the mRequestAdapter which could have been be destroyed, and we have no way to check this because CronetUploadDataStream doesn't know if we the request adapter is destroyed or not.

I am leaning towards revert this CL. 

https://chromium.googlesource.com/chromium/src/+/11a0bbd6293dffc9df4c4fc8f8e80887c1f01451
-    void attachToRequest(CronetUrlRequest request, long requestAdapter) {
+    void attachToRequest(final CronetUrlRequest request, final long requestAdapter,
+            final Runnable afterAttachCallback) {
         mRequest = request;
-        mUploadDataStreamAdapter =
-                nativeAttachUploadDataToRequest(requestAdapter, mLength);
+        postTaskToExecutor(new Runnable() {
+            @Override
+            public void run() {
+                synchronized (mLock) {
+                    mInWhichUserCallback = UserCallback.GET_LENGTH;
+                }
+                try {
+                    mLength = mDataProvider.getLength();
+                } catch (Throwable t) {
+                    onError(t);
+                }
+                synchronized (mLock) {
+                    mInWhichUserCallback = UserCallback.NOT_IN_CALLBACK;
+                    mUploadDataStreamAdapter =
+                            nativeAttachUploadDataToRequest(requestAdapter, mLength);
+                }
+                afterAttachCallback.run();
+            }
+        });
     }

Could attachToRequest call some method on the request to check that? 

Unfortunately it can't be request.isDoneLocked() as that one returns false if request hasn't started yet.

I don't mind reverting the CL later today if we don't decide on a good fix.

There's an easy fix - simply create a boolean field for cancellation, and
check it in startInternalLocked.

I've crafted potential fix here: https://codereview.chromium.org/1777333002 but it (expectedly) deadlocks the new test.

WDYT?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/db433eabe1d4854125e00885fbba073ada75ad94

commit db433eabe1d4854125e00885fbba073ada75ad94
Author: mef <mef@chromium.org>
Date: Fri Mar 11 16:56:17 2016

[Cronet] Fix race in UploadDataStream.attachToRequest.

- Add UploadDataStream.initalizeWithRequest to call DataProvider.getLength() outside of lock.
- Use AttachNativeAdapterToRequest in UrlRequest.startInternal under the lock to ensure that request is not canceled.

BUG= 593490 

Review URL: https://codereview.chromium.org/1777333002

Cr-Commit-Position: refs/heads/master@{#380654}

[modify] https://crrev.com/db433eabe1d4854125e00885fbba073ada75ad94/components/cronet/android/java/src/org/chromium/net/CronetUploadDataStream.java
[modify] https://crrev.com/db433eabe1d4854125e00885fbba073ada75ad94/components/cronet/android/java/src/org/chromium/net/CronetUrlRequest.java
[modify] https://crrev.com/db433eabe1d4854125e00885fbba073ada75ad94/components/cronet/android/test/javatests/src/org/chromium/net/UploadDataProvidersTest.java
[modify] https://crrev.com/db433eabe1d4854125e00885fbba073ada75ad94/components/cronet/tools/cr_cronet.py

This change is local to Cronet and doesn't affect the rest of the Chrome.

Your change meets the bar and is auto-approved for M50 (branch: 2661)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9db0b53eb57adab8b47b746b5c1cd5477c24422f

commit 9db0b53eb57adab8b47b746b5c1cd5477c24422f
Author: Misha Efimov <mef@google.com>
Date: Mon Mar 14 19:43:00 2016

[Cronet] Fix race in UploadDataStream.attachToRequest.

- Add UploadDataStream.initalizeWithRequest to call DataProvider.getLength() outside of lock.
- Use AttachNativeAdapterToRequest in UrlRequest.startInternal under the lock to ensure that request is not canceled.

BUG= 593490 

Review URL: https://codereview.chromium.org/1777333002

Cr-Commit-Position: refs/heads/master@{#380654}
(cherry picked from commit db433eabe1d4854125e00885fbba073ada75ad94)

R=xunjieli@chromium.org

Review URL: https://codereview.chromium.org/1801943002 .

Cr-Commit-Position: refs/branch-heads/2661@{#219}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[modify] https://crrev.com/9db0b53eb57adab8b47b746b5c1cd5477c24422f/components/cronet/android/java/src/org/chromium/net/CronetUploadDataStream.java
[modify] https://crrev.com/9db0b53eb57adab8b47b746b5c1cd5477c24422f/components/cronet/android/java/src/org/chromium/net/CronetUrlRequest.java
[modify] https://crrev.com/9db0b53eb57adab8b47b746b5c1cd5477c24422f/components/cronet/android/test/javatests/src/org/chromium/net/UploadDataProvidersTest.java
[modify] https://crrev.com/9db0b53eb57adab8b47b746b5c1cd5477c24422f/components/cronet/tools/cr_cronet.py