Suspected CLs	The result is a list of CLs that change the crashed files.

Author: yhirano
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/998e1a037a811ec74dbcca021503ddf3f4b86d60
Time: Fri Mar 11 05:21:17 2016
Lines 365 of file ImageResource.cpp which potentially caused crash are changed in this cl (frame #1, "blink::ImageResource::responseReceived").

Lines 230-231, 409-411 of file ImageDocument.cpp which potentially caused crash are changed in this cl (frame #2, "blink::ImageDocument::createDocumentStructure"; frame #3, "cachedImage").

Files Resource.cpp, DocumentLoader.cpp are changed in this cl (and is part of stack frame #0, "blink::Resource::responseReceived")
Minimum distance from crash line to modified line: 0. (file: ImageResource.cpp, crashed on: 365, modified: 365).

Suspected Component: chromium

yhirano@: Could you please take a look at this.

Thank you!

Though I can't reproduce the crash, it looks

m_imageElement->cachedImage()->responseReceived(loader()->response(), nullptr);

fails because m_imageElement->cachedImage() returns null.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bf1150eba29bcb1f20ca5a98d1098ed778fc1c27

commit bf1150eba29bcb1f20ca5a98d1098ed778fc1c27
Author: yhirano <yhirano@chromium.org>
Date: Fri Mar 18 05:13:04 2016

HTMLImageElement::cachedImage() may return null in ImageDocument construction

This is a speculative fix for a crash.

BUG= 594467 

Review URL: https://codereview.chromium.org/1801543002

Cr-Commit-Position: refs/heads/master@{#381893}

[modify] https://crrev.com/bf1150eba29bcb1f20ca5a98d1098ed778fc1c27/third_party/WebKit/Source/core/html/ImageDocument.cpp

ClusterFuzz has detected this issue as fixed in range 381877:381899.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4928171838799872

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x000004a4
Crash State:
  blink::Resource::responseReceived
  blink::ImageResource::responseReceived
  blink::ImageDocument::createDocumentStructure
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=380105:380830
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=381877:381899

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97EgRUc6Tm-4Su-o5VBc4twDHnSCMQJPtaqkds9xLmefB54t92mU-WKSrskl7RdlndTAvxXItjs9mzsLeXUpojvwjHBmUF8xczfGfuI8Gt16mnYbzYV0Jgb77ciU3JGwCgQsAetEhX0T7ZxsdNJ0E3wzmhHzA
<iframe src="resources/mozilla.gif" sandbox="allowScripts"0)">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot