Suspecting below:
=================

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/bc591303022b835a568bcdb4b82e5678c5bf6435
Time: Tue Sep 29 11:15:04 2015
The CL last changed line 96 of file HashCountedSet.h, which is stack frame 4.

---------------------------------------------------------------------------------------------------------

Author: dcheng
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a4bcdcb1f8df4f7427e208201501a9d8e41e386b
Time: Thu Feb 04 19:17:21 2016
The CL last changed line 112 of file HTMLFrameOwnerElement.h, which is stack frame 6.

@tkent/dcheng: Could you please look into the issue, and if it has nothing to do with your changes and if possible please do assign it to the concerned owner.

Thank you.

My CL has no production code change.

This looks to be in dcheng's area, or sigbjornf's.

I wouldn't be too surprised if this is during Blink shutdown and with LSan, re-assign if it is.. :)

ClusterFuzz has detected this issue as fixed in range 393799:393810.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6417054248206336

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::LocalFrame::detach
  blink::Page::willBeDestroyed
  blink::SVGImage::~SVGImage
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393144:393183
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=393799:393810

Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97AH2HDxKmFcdrm9l72DY6FrzQ_O99a_F5rjZQPNNE7RDQ9DlJuE1Iq0Sz10MvLLozBUatkoOW5kqPzBsdTPPYEyFYNCKkZ4pqD98DuC30UwaDna6BEbuNDsgQ_4oy_TKgiAxIozuFvyC0S3XIAH2UKP11O4A

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Looks like this was resolved by https://chromium.googlesource.com/chromium/src/+/a2917a54ac168cd4ccb8bf453a44cadd38ec0c6b. Assigning to sigbjornf to confirm.

Yes, floating garbage (the SVGImage) that wasn't swept & finalized before initiating the extra heap scrubbing that LSan requires (=> all static locals/persistents are cleared, including the one that SubframeLoadingDisabler uses, which the testcase here would otherwise trip up on when touching after it having been cleared.)

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot