Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: j.isorce
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ff4a814529b414738c2f10ed0e57f021bc3d78a6
Time: Wed Apr 06 08:56:40 2016
The CL last changed line 958 of file gpu_benchmarking_extension.cc, which is stack frame 0.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/99de02ba952b0a69291f81c5b8ca14d81cc1f74f
Time: Fri Jul 01 05:54:12 2016
The CL last changed line 214 of file bind_internal.h, which is stack frame 1.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/99de02ba952b0a69291f81c5b8ca14d81cc1f74f
Time: Fri Jul 01 05:54:12 2016
The CL last changed line 283 of file bind_internal.h, which is stack frame 2.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ee2487294417a82adfc854aa680c7765eef7494e
Time: Wed Jun 01 08:22:51 2016
The CL last changed line 346 of file bind_internal.h, which is stack frame 3.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/caf1d84bb83aaf5369eb508027a685e2bf9859b4
Time: Tue Jun 28 12:22:21 2016
The CL last changed line 328 of file bind_internal.h, which is stack frame 4.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/77d41139d261342a429d2775c59d8e8a386d4c81
Time: Wed Mar 09 09:47:03 2016
The CL last changed line 389 of file callback.h, which is stack frame 5.

Author: kolczyk
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/735c49b6ad67166ccbcc8e3717681bb560fbf1cf
Time: Fri Oct 24 13:06:04 2014
The CL last changed line 183 of file function_template.h, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Internals>Core

Julien@/tzik@: Could you please take a look at this and help in investigating this further.

Thank you!

I made a quick fix for the only problem I could see: https://codereview.chromium.org/2143913002/
(I think It cannot be a threading problem, since GpuChannelHost::Send() can use a sync_filter_.)

Is it possible with cluster-fuzz to try the minimal test case with that CL ? I do not have permissions to explore it.

It seems unlikely to me that this stack trace is accurate. There is only one call to GpuBenchmarking::Install in the entire code base:

https://cs.chromium.org/chromium/src/content/renderer/render_frame_impl.cc?sq=package:chromium&dr=C&rcl=1468423091&l=3495

Without that extension installed, it's not possible to call any of the methods on GpuBenchmarking. I don't see these flags being installed in the run of content_shell. Could someone please verify that this bug is real?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9c74d43d235e97058f6327ffa292098b64f07036

commit 9c74d43d235e97058f6327ffa292098b64f07036
Author: j.isorce <j.isorce@samsung.com>
Date: Wed Jul 13 20:40:58 2016

Check for GpuChannelHost nullity in GetGpuDriverBugWorkarounds

BUG= 627392 

R=kbr@chromium.org

Review-Url: https://codereview.chromium.org/2143913002
Cr-Commit-Position: refs/heads/master@{#405282}

[modify] https://crrev.com/9c74d43d235e97058f6327ffa292098b64f07036/content/renderer/gpu/gpu_benchmarking_extension.cc

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6184833391001600

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  content::GpuBenchmarking::GetGpuDriverBugWorkarounds
  gin::internal::Dispatcher<void
  v8::internal::FunctionCallbackArguments::Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=404631:404813

Minimized Testcase (3.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94foxr9JmTiPGIk-YX7ph6t_DgmiwXl3cu8Wj-u9LmDzUeEJxT97adSye_J_j4ssOjhZfSwhes7zcKxLfqb7GcN0sx3I3eUK62rfFRelqelp8TyNUOk8BbltWxca2rAR7G_h0KiXFTAYR_JHuBkGwMOAlqxSg?testcase_id=6184833391001600

Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 405185:405467.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6184833391001600

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  content::GpuBenchmarking::GetGpuDriverBugWorkarounds
  gin::internal::Dispatcher<void
  v8::internal::FunctionCallbackArguments::Call
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=404631:404813
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=405185:405467

Minimized Testcase (3.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94foxr9JmTiPGIk-YX7ph6t_DgmiwXl3cu8Wj-u9LmDzUeEJxT97adSye_J_j4ssOjhZfSwhes7zcKxLfqb7GcN0sx3I3eUK62rfFRelqelp8TyNUOk8BbltWxca2rAR7G_h0KiXFTAYR_JHuBkGwMOAlqxSg?testcase_id=6184833391001600

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

> ClusterFuzz has detected this issue as fixed in range 405185:405467.

So I am marking this issue as Fixed.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot