Below is the list of suspects from 'Findit' result.

Author: rockot
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4a038f904fc285301fbd6dbf46c3394071eb3058
Time: Tue Nov 24 21:52:46 2015
The CL last changed line 42 of file mojo_bindings_controller.cc, which is stack frame 2.

Author: rdevlin.cronin
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4bb32d7a792124a5919bbc7a8c715ca845c7996a
Time: Tue Jun 02 21:55:01 2015
The CL last changed line 3314 of file render_frame_impl.cc, which is stack frame 3.

rockot@, could you please look into this change (https://chromium.googlesource.com/chromium/src//+/4a038f904fc285301fbd6dbf46c3394071eb3058)? Please feel free to re-assign in case if this is not caused by your's.

Remove legacy label cr-blink

I believe this was fixed by https://chromium.googlesource.com/chromium/src/+/43ea0649d4b70fdcf3e9fa5c03aee1bbba0b04bb

Can I trigger clusterfuzz to try again now or will that just happen soon enough on its own?

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5108036804280320

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::WebLocalFrameImpl::mainWorldScriptContext
  content::MojoBindingsController::CreateContextState
  content::RenderFrameImpl::runScriptsAtDocumentElementAvailable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=381899:383055

Minimized Testcase (3.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95GILEmWI7OjabhHjZu3UruXwJ24ffElLWFh3i4xxVOR_GQQlwMiiZ_9Yi29yQVYZ2Z1CJI2laXVsfedRDbK4B7377r6IKnBa4Ag0954JNiI-_hAuwairw9WbX-ygIis8Y-UPZgE87E4I47_yBiF-9tjuEK4w

Filer: pbommana

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

I'm not sure I fully understand what the right thing to do here is, but the problem seems to be with detached frames.

A simple crash prevention would be to make sure frame_ is non-null before runScriptsAtDocumentElementAvailable calls MojoBindingsController::RunScriptsAtDocumentStart, but I'm not sure if that's correct. i.e. should we instead pass an explicit WebLocalFrame to MBC?

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6380256516112384

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::WebLocalFrameImpl::mainWorldScriptContext
  content::MojoBindingsController::CreateContextState
  content::RenderFrameImpl::didCreateDocumentElement
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=380964:381388

Minimized Testcase (3.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv952AL3qsW__2W5KVULArl57JeT9wmGzrpKejU1v10WFVh83ms6aZ60RE_OAK-q58SwhHClfzbbt1O9iVJcgMH2d7XwngTHtCA8Xdo2mTiNX3IatmDMLEIOCACmNxQmzGT9ZUR5xjFb_gCrXtKeZ8mexv2V7DA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4920527999467520

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::WebLocalFrameImpl::mainWorldScriptContext
  content::MojoBindingsController::CreateContextState
  content::RenderFrameImpl::runScriptsAtDocumentElementAvailable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=402026:402043

Minimized Testcase (3.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95YGCbdtyxvfOiVoqgkCGdYHO1-oMVRLLkoHCZJGpB9LDXjYp5R1VRVuznJvPf22bkhH9yYJ31wE7BF-eMzeSaCe4gwYDLXzA7cKcsltDvsSaS7crLiOAP1wlLN5GX9gNcWFbIJRVgGVgGA5ONaqt7Bh27-Eg?testcase_id=4920527999467520

Additional requirements: Requires HTTP

Filer: tkonchada

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4671099128512512

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000018
Crash State:
  blink::WebLocalFrameImpl::mainWorldScriptContext
  content::MojoBindingsController::CreateContextState
  content::RenderFrameImpl::runScriptsAtDocumentElementAvailable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=381067:381276

Minimized Testcase (3.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97oBl_4a8SEz38L4mv7HzEeFJ741oalZCkrZxIrjoJbTkBrGvZCknMPvBYFtZiVQb5-hdQ3Gi4_s78fe2fbORxkVSDBuxvsljwE8U6aSvguGUXgFOA6My6ANBOl7LHCIZjUkCw1IbVSvPy43FDDBuLPkvzLWg?testcase_id=4671099128512512

Filer: brajkumar

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Looks like this is still crashing: I'm not sure robwu's CL fixed all instances where this could occur.

To what CL are you referring?

We discussed this bug a few weeks ago IIRC and at that time there were clearly instances where certain invalid assumptions were being made in the code. See https://codereview.chromium.org/2093423005 which provoked that discussion.

Has a change landed which should have fixed this?

Ah, OK. Sorry, was just going through my bug emails this morning and had forgotten I had previously commented on this outside monorail. Hopefully now that the context is attached, I will remember =)

I finally got a chance to test this locally. It repros consistently under ASAN with the test case in #11.

It's not that the frame as null, as I was assuming previously. It's that ScriptState::forMainWorld(frame) is null. I don't know what this means or how it can happen. Any ideas?

It probably means that the v8::Context has been detached (by something removing a frame from the DOM or navigating it synchronously)

 Issue 632877  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 417868:417884.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4671099128512512

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000018
Crash State:
  blink::WebLocalFrameImpl::mainWorldScriptContext
  content::MojoBindingsController::CreateContextState
  content::RenderFrameImpl::runScriptsAtDocumentElementAvailable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=381067:381276
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=417868:417884

Minimized Testcase (3.31 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97oBl_4a8SEz38L4mv7HzEeFJ741oalZCkrZxIrjoJbTkBrGvZCknMPvBYFtZiVQb5-hdQ3Gi4_s78fe2fbORxkVSDBuxvsljwE8U6aSvguGUXgFOA6My6ANBOl7LHCIZjUkCw1IbVSvPy43FDDBuLPkvzLWg?testcase_id=4671099128512512

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz testcase 4920527999467520 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.