Possible suspect as per Findit.

Author: ksakamoto
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6f0549c2726c0a730a03437dd7d7e157e3a42b65
Time: Fri Dec 04 10:16:56 2015
The CL last changed line 126 of file FontResource.cpp, which is stack frame 1.

This is a regression by https://chromium.googlesource.com/chromium/src.git/+/b1ad8eab17e2d730f7eb112f644addb9b50842af

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1470667b97b1ce551060d595f0d41656526ad0f7

commit 1470667b97b1ce551060d595f0d41656526ad0f7
Author: ksakamoto <ksakamoto@chromium.org>
Date: Wed Apr 06 08:18:40 2016

Fix font preload crash

Adds null check for return value of FontResource::fetch(), as well as a
test exercising that code path.

BUG= 600766 

Review URL: https://codereview.chromium.org/1867493002

Cr-Commit-Position: refs/heads/master@{#385400}

[add] https://crrev.com/1470667b97b1ce551060d595f0d41656526ad0f7/third_party/WebKit/LayoutTests/http/tests/preload/preload-csp.html
[modify] https://crrev.com/1470667b97b1ce551060d595f0d41656526ad0f7/third_party/WebKit/Source/core/loader/DocumentLoader.cpp

ClusterFuzz has detected this issue as fixed in range 385386:385441.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6068414283513856

Fuzzer: inferno_webbot
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000000006e8
Crash State:
  blink::FontResource::beginLoadIfNeeded
  blink::DocumentLoader::startPreload
  blink::HTMLResourcePreloader::preload
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=144946:145047
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=385386:385441

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Rck6bfsstva9BBHI1DYPiRgZadwuGUdE9swv2Dk-cYywyUCYX2_eaGgaRygiz9h-zEP5IcOiQONfACWqMf741go-ncQ5rIlkA6yvRY165ae3O7WTcQe8pBd6Cg7Q5wh90VxQjvLfWQuzPY9PAfKH6W9yUzQ
<script>
window.open("http://sra.org.uk");
window.open("http://articlecompilation.com");
window.location = "http://massagewkwk.com";</script></html>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Fixed in Canary 51.0.2702.2. Requesting merge to M50.

[Automated comment] Less than 2 weeks to go before stable on M50, manual review required.

Merge approved for M50 (branch 2661). Pls go ahead merge.

Please merge your change to M50 branch 2661 by 5:00 PM PST on April 11th,Monday to make into the desktop Stable final build cut. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3bfbdd603d53b1e3287ba8b2c731bbf4aee7ece9

commit 3bfbdd603d53b1e3287ba8b2c731bbf4aee7ece9
Author: Kunihiko Sakamoto <ksakamoto@chromium.org>
Date: Mon Apr 11 01:25:46 2016

Fix font preload crash

Adds null check for return value of FontResource::fetch(), as well as a
test exercising that code path.

BUG= 600766 

Review URL: https://codereview.chromium.org/1867493002

Cr-Commit-Position: refs/heads/master@{#385400}
(cherry picked from commit 1470667b97b1ce551060d595f0d41656526ad0f7)

Review URL: https://codereview.chromium.org/1874973002 .

Cr-Commit-Position: refs/branch-heads/2661@{#544}
Cr-Branched-From: ef6f6ae5e4c96622286b563658d5cd62a6cf1197-refs/heads/master@{#378081}

[add] https://crrev.com/3bfbdd603d53b1e3287ba8b2c731bbf4aee7ece9/third_party/WebKit/LayoutTests/http/tests/preload/preload-csp.html
[modify] https://crrev.com/3bfbdd603d53b1e3287ba8b2c731bbf4aee7ece9/third_party/WebKit/Source/core/loader/DocumentLoader.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot