Unable to find the suspect from the Regression range provided and also from find it.
Using Code Search for the text "test_runner::AppBannerClient::ResolvePromise" assigning it to the concern owner.

Suspected Commit# 2465f9886e6ad78fcfd8a111fc1bd81ed2db7bde
Suspected Review URL# https://codereview.chromium.org/1483903002

@yhirano -- Could you please look into the issue, pardon me if it has nothing to do with your changes and if possible please assign it to the concern Dev.
Thank You.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6344413915119616

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000023
Crash State:
  test_runner::AppBannerClient::ResolvePromise
  test_runner::TestRunnerBindings::ResolveBeforeInstallPromptPromise
  base::internal::Invoker<base::IndexSequence<>,base::internal::BindState<base::in
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_content_shell&range=385450:385466

Minimized Testcase (25.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94JoHk7CwIvOT6btXQKAENR5OWH-fZ0sTBNOdL6BZSlX9zEsaA1K-aJ5hml33tsxTbpp3FpkoRVp0551PwU8v-vFd67Fz3LYHpSqoFDubv-71_c3YbwEN-vhe_zd7JdS_NbtrKRWnmicDht4L9Fq6L2fht3cuClxEq6sG5ltk8mKRfOZuI

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

mlamouri@, can you take a look?

Dominick, is this something you would be interested to look at?

I think this is isolated to the components test runner, since it exposes a JS method resolveBeforeInstallerPromptPromise(index, platform) that's used to manually force the renderer to resolve the promise without needing the browser process to do its checking. The method isn't present anywhere else but the test runner.

Looking at the traceback, it seems like the underlying std::unordered_map accesses an invalid address when trying to lookup (index). Not really sure why that would happen - but the test case is calling whatever methods it can find with random junk as arguments, so I'm not really surprised.

I have a fix for this. It is a regression from https://codereview.chromium.org/1807643002 that removed a null check. The AppBannerClient is lazy initialized.

CC: author and reviewer of the CL

Thanks for looking into this.  Yes - the removal of the null check was non-intentional - it happened accidentally during the refactoring :-(

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/005172539b5aefaa52273ebe784f14e2bb16d15a

commit 005172539b5aefaa52273ebe784f14e2bb16d15a
Author: mlamouri <mlamouri@chromium.org>
Date: Thu Apr 14 15:50:42 2016

Fix crash when AppBannerClient is null when resolveBeforeInstallPromptPromise is called.

The crash is a regression from:
https://codereview.chromium.org/1807643002

There is now a simple layout test preventing a similar regression.

BUG= 601480 
R=jochen@chromium.org

Review URL: https://codereview.chromium.org/1886763002

Cr-Commit-Position: refs/heads/master@{#387326}

[modify] https://crrev.com/005172539b5aefaa52273ebe784f14e2bb16d15a/components/test_runner/test_runner.cc
[add] https://crrev.com/005172539b5aefaa52273ebe784f14e2bb16d15a/third_party/WebKit/LayoutTests/app_banner/testrunner-resolve-crash.html

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot