using code search, seeing some changes to 'spellcheck.cc' in 
https://chromium.googlesource.com/chromium/src/+/b15e1907d47c994331d85890ef79cbe2080ea408

gab@, Could you please check the above issue & help us in finding an owner it its not yours.

Findit did not provide any results.

My CL was a header rename...

@groby for spellcheck triage.

1) The regression range doesn't make any sense. It's *old*. (And it is not accessible because we switched to SHAs and can't do version ranges any more)

2) The minimized testcase doesn't crash on 52.0.2739.2 - at least on OSX. It doesn't crash on Linux 50.0.2661.102, either.

3) On both OSX and Linux, it usually displays an error in the console: document.execCommand() doesn't work with an invalid HTML structure. It is corrected automatically.

3a) On Linux (or possible M50?), it occasionally also fails with: fuzz-819-133.html:9 Uncaught TypeError: Cannot read property 'contentWindow' of undefined

Given the lack of both a repro case and a decent regression range, I can't do much about pinpointing a source. Divining from the source, my guess would be that render_view() or focused_frame() are nullptr. Based on the error messages in the console, I bet on the latter.

Is there any way to run clusterfuzz with additional instrumentation to figure this out? 

The trivial fix would be just to nullcheck focused_frame(), but this is a "should never happen" condition. 
 

+dglazkov: Under what circumstances would focusedFrame() ever be NULL? More specifically, why would it be NULL here? 

Currently, spellchecker enables spellcheck on the focusedFrame only - if frame focus changes are a common thing, I suppose we need to tackle that. Is there a notification around frame changes?

It shouldn't be 0 in the scope of this call. I wonder if the issue is with OOPIF-related logic sometimes returning 0?

Adding alexmos@, who has done the work to port focus to work in OOPIFs.

AFAIK, OOPIFs shouldn't cause WebViewImpl::focusedFrame() to return null.  focusedFrame() calls focusedCoreFrame(), which calls FocusController::focusedOrMainFrame(), which should never return null.  The only case I can see inspecting the code is WebViewImpl::focusedCoreFrame() returning null if m_page is null, but chatting with dcheng@, that also doesn't seem possible.

This is quite likely related to the changes in  bug #604645 , although I'm not sure the fix will fully address it. 

I'll leave it to OOPIF folk to verify :)

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6077621456863232

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  SpellCheckProvider::EnableSpellcheck
  UpdateSpellcheckEnabled::Visit
  content::RenderView::ForEach
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286

Minimized Testcase (0.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94qZsOEfbyHesOTMeViGTQjPRM-ucSQq3zFnOq-DcxJSa0ZDjAhmlmA0-jwYh8kzWLfJc8KCDny_tsNuHIHRCsDaqa_1STB0LDaCjE_MSrqYyY0aSivjz_lHnXi3hscS4iZBCwbpdLRp9QdxGNIRUdqn-D0Gg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Has anyone tried to take the ClusterFuzz report and repro locally? If it repros, it shouldn't be too hard to investigate what is the root cause of the crash.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6312382498603008

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  SpellCheckProvider::EnableSpellcheck
  UpdateSpellcheckEnabled::Visit
  content::RenderView::ForEach
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286

Minimized Testcase (1.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95YmVeV_YrFSUmp8rlDAMa69uILgeTMv8j7mEjr7v0qG1WYbbfwEP1yPXUxK7VggYHff__p-WL_kxOhOJbGQu5iW4XI2wS-xx_7cglKklo6MHmtX0rIBwsw1NlPQQsgD4KJNropRpGh6pEh5VxkB6roNhKktg

Filer: ashejole

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 398833:398986.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6312382498603008

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  SpellCheckProvider::EnableSpellcheck
  UpdateSpellcheckEnabled::Visit
  content::RenderView::ForEach
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=398833:398986

Minimized Testcase (1.59 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95YmVeV_YrFSUmp8rlDAMa69uILgeTMv8j7mEjr7v0qG1WYbbfwEP1yPXUxK7VggYHff__p-WL_kxOhOJbGQu5iW4XI2wS-xx_7cglKklo6MHmtX0rIBwsw1NlPQQsgD4KJNropRpGh6pEh5VxkB6roNhKktg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot