based on findit results, assigning to bokan@ - Could you please take a look at the issue and assign it to concerned developer if your changes are not responsible?

Findit Result:
-------------------------
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: bokan@chromium.org
Project: chromium-blink
Changelist: https://chromium.googlesource.com/chromium/blink.git/+/47871c38cf4e2c9fdc07e4467ad6723991e099ab
Time: Thu May 08 20:14:39 2014
File WebViewImpl.cpp is changed in this cl (and is part of stack frame #1, "dragTargetDragEnterOrOver"; frame #2, "blink::WebViewImpl::dragTargetDragOver")
Minimum distance from crash line to modified line: 37. (file: WebViewImpl.cpp, crashed on: 3676, modified: 3639).

Suspected Project: chromium-blink

Definitely not my patch but we're unlikely to find a culprit CL at this point.

Mustaq, could you triage? It looks like we hit some drag and drop code without initializing drag data. 

Could be a crack in EventSender drag-drop states. Looking into it now.

Confirmed that it's an WevViewImpl drag-drop issue (not an EventSender drag-drop issue as I initially suspected).

The DCHECK at the beginning of WebViewImpl::dragTargetDragEnterOrOver is failing:
DCHECK(m_currentDragData)
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/web/WebViewImpl.cpp?rcl=1468322258&l=3754
The code seems to expect a drag-enter before a drag-over which is not happening. I am not familiar with drag-drop code so can't comment further.

I am attaching a minimal html (edited from fizz html) which fails locally when run with --run-layout-test.

Note that the crash happens regardless of whether PointerEvent is enabled or not.

Deleted: fuzz-lyt-006111467861628.95-edited.html 1.1 KB

fuzz-lyt-006111467861628.95-edited.html 1.1 KB View Download

hush@, any chance you can take a look? I picked you because you recently changed drag-drop code (crrev.com/1723763002), so could even point us to a drag-drop expert.

Yeah, this seems like a event_sender function reentry bug.

Hello Mustaq,
I am working on drag and drop on Android, where it is possible for the OS the send 2 consecutive DragEnter events. I'm considering removing this DCHECK.

Oh nevermind comment #7. It's a different bug.
This issue is about getting DragOver before any DragEnter, on Linux.

It turned out that EventSender::FinishDragAndDrop was involved in a cyclic reentry in this case (crrev.com/2148733003). Sorry for creating the confusion with my "dragover" comment.

Here is the actual problem: I have attached a (real) minimal test html. The test uses an EventSender sequence to drag from one div to another. The sequence ends with a mouseup, but the drag target also fires a mouseup on dragend. While the first mouseup was still processing a drag-drop at EventSender::FinishDragAndDrop, the second mouseup triggered another call to EventSender::FinishDragAndDrop, causing a premature call to WebViewImpl::dragTargetDragEnterOrOver with the crash.

Deleted: fuzz-lyt-006111467861628.95-minimal.html 741 bytes

fuzz-lyt-006111467861628.95-minimal.html 741 bytes View Download

Currently, there's an expectation that the embedder must call the events in the right order (the events come from the browser to the renderer, so we trust the browser to do the right thing).

This is basically "WAI".

Yes, this is WAI for browser/renderer. We guaranteed the order through a fix in EventSender (crrev.com/2148733003), will close the bug after the CL lands.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f2d3dd78f333c287f6fcb44738bcf399b7af8515

commit f2d3dd78f333c287f6fcb44738bcf399b7af8515
Author: mustaq <mustaq@chromium.org>
Date: Thu Jul 14 17:22:06 2016

Avoided rentry to EventSender::FinishDragAndDrop.

Avoided rentry to EventSender::FinishDragAndDrop to fix
a ClusterFuzz crash. The test uses an EventSender sequence
to drag from one div to another. The sequence ends with a
mouseup, but the drag target also fires a mouseup on
dragend. While the first mouseup was still processing a
drag-drop at EventSender::FinishDragAndDrop, the second
mouseup triggered another call to
EventSender::FinishDragAndDrop, causing a premature call
to WebViewImpl::dragTargetDragEnterOrOver with the crash.

See the bug for a minimal test case.

BUG= 627340 

Review-Url: https://codereview.chromium.org/2148733003
Cr-Commit-Position: refs/heads/master@{#405510}

[modify] https://crrev.com/f2d3dd78f333c287f6fcb44738bcf399b7af8515/components/test_runner/event_sender.cc

ClusterFuzz has detected this issue as fixed in range 405500:405563.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5152501779398656

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x000000000038
Crash State:
  blink::WebViewImpl::dragTargetDragOver
  test_runner::EventSender::DoDragAfterMouseUp
  test_runner::EventSender::PointerUp
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=405500:405563

Minimized Testcase (1.55 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96tqoUsMJLgKCpMd81eJYHGA-QcZEpl4h71EyRHNxPPj0VbxRn65pFSP1bYc8Bn27zGCUdZYV_qn9WDKzk-MGc3d6IY1kAnTooSXrkowfUeIQZO-qiWdCV5lceJo2BatOExCZ0oMGMwsd4jGQnC-ir3PTMddQ?testcase_id=5152501779398656

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot