#1 0x7feb888a6ca0 base::debug::StackTrace::StackTrace()
#2 0x7feb888ffc2b logging::LogMessage::~LogMessage()
#3 0x7feb944a76fd TabStripModel::GetWebContentsAtImpl()
#4 0x7feb944ab499 TabStripModel::InternalCloseTabs()
#5 0x7feb944ad547 TabStripModel::CloseWebContentsAt()
#6 0x7feb9481681f ChromeLauncherControllerImpl::CloseWindowedAppsFromRemovedExtension()
#7 0x7feb94815cb6 ChromeLauncherControllerImpl::OnAppUninstalledPrepared()
#8 0x7feb99deede3 extensions::ExtensionRegistry::TriggerOnUnloaded()
#9 0x7feb9928d1da ExtensionService::NotifyExtensionUnloaded()
#10 0x7feb99294140 ExtensionService::UnloadExtension()
#11 0x7feb99289062 ExtensionService::UninstallExtension()
#12 0x7feb99b7320a extensions::ManagementUninstallFunctionBase::UninstallExtension()
#13 0x7feb88aabcf8 base::debug::TaskAnnotator::RunTask()

TabStripModel::CloseWebContentsAt is getting called with a bogus index number. ChromeLauncherControllerImpl::CloseWindowedAppsFromRemovedExtension has a call to that with index 0, which is weird, because that implies that the browser has no tabs.

In any case, this isn't a tab strip issue, but rather an extensions or an Ash launcher issue. Re-assigning.

This doesn't appear to necessarily be cros specific... Ben, anyone on apps have cycles to investigate this?

ChromeLauncherControllerImpl in stack is ash specific. Looks like a racing condition that Browser* out-lives the app's content.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b71bcd50ab29a5aaab734e151740845f8ef3753b

commit b71bcd50ab29a5aaab734e151740845f8ef3753b
Author: xiyuan <xiyuan@chromium.org>
Date: Tue Jul 19 00:00:24 2016

ash: CloseWindowedAppsFromRemovedExtension skips empty browser

Fix the crash on attempting to close an empty browser that is caused
by a racing when the test extension closes its window and
uninstalls itself at the same time.

BUG= 628871 
TEST=meacer_extension_apis passes.

Review-Url: https://codereview.chromium.org/2163443003
Cr-Commit-Position: refs/heads/master@{#406157}

[modify] https://crrev.com/b71bcd50ab29a5aaab734e151740845f8ef3753b/chrome/browser/ui/ash/launcher/chrome_launcher_controller_impl.cc

ClusterFuzz has detected this issue as fixed in range 406033:406232.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5139289352699904

Fuzzer: meacer_extension_apis
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ContainsIndex(index). Failed to find: 0 in: 0 entries in tab_strip_model.cc
  TabStripModel::GetWebContentsAtImpl
  TabStripModel::InternalCloseTabs
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=347772:348205
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=406033:406232

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94AfxqR-PlPUYGqXUQLKekT9kAJVRLWVCbT0VvYgl1NcvpflOr1HmcMiHtfXRt2RQtKVW41UdRuxbUov_uv0HOkoiY4gQ6s7wJpyAKCc9qey4Lzad1WlNDhKOBNURDL7Mq4YXf30f7ubLkcuhH3yzGVJrCDsQ?testcase_id=5139289352699904


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot