Suspecting Below:

Author: erg@google.com
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/be1a48bcd64ea75939f38a9ab264ee99214313bb
Time: Thu Jan 20 00:12:13 2011
The CL last changed line 74 of file http_proxy_client_socket.cc, which is stack frame 5.

Author: mmenke
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8e9314bcf382b9df7caa3ab331e1b0090c27b62f
Time: Fri Apr 15 21:45:02 2016
The CL last changed line 78 of file http_proxy_client_socket_fuzzer.cc, which is stack frame 6.

@erg/mmenke: Could you please look into this issue.

Thank you.

Don't think erg even still works on Chromium.

Turns out this is just a test-only issue, not a real bug in production.  Enabling DCHECKs on the fuzzer bots presumably unearthed it.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/893b812617b63d2b71e38bf2a504d2c5d4657c23

commit 893b812617b63d2b71e38bf2a504d2c5d4657c23
Author: mmenke <mmenke@chromium.org>
Date: Fri Jul 29 17:12:24 2016

Remove a DCHECK on ClientSocketHandle state from proxy code.

This was causing issues for one of our fuzzers.

The DCHECK made sure the ClientSocketHandle was initialized, which was
not the state in tests. Normally, handles set initialized to true
when they are assigned a socket, and the connection callback is invoked.
When the Handle is torn down, if the Handle was initialized, the socket
is returned to the socket pool.  A lot of tests bypass all this, not
using socket pools at all, and just assigning a socket to the
SocketHandle. This results in is_connected being false, which was
triggering the DCHECK.

We could instead make sure that is_initialized is set to true in tests,
but this has minimal value - in production, it's set to true if and only
if a socket is set and the callback invoked, and set to false only when
the socket is destroyed or returned to the socket pool. If the socket is
null, we'll crash very soon with an equally useful crash stack, anyways.
In production, if the connection callback wasn't invoked, the
HttpProxyClientSocket's state machine will catch the issue, anyways.

BUG= 632608 

Review-Url: https://codereview.chromium.org/2192193002
Cr-Commit-Position: refs/heads/master@{#408670}

[modify] https://crrev.com/893b812617b63d2b71e38bf2a504d2c5d4657c23/net/http/http_proxy_client_socket.cc

ClusterFuzz has detected this issue as fixed in range 408457:408535.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6414545329586176

Fuzzer: libfuzzer_net_http_proxy_client_socket_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e90000275a
Crash State:
  net::HttpProxyClientSocket::DoDrainBody
  net::HttpProxyClientSocket::DoLoop
  net::HttpProxyClientSocket::RestartWithAuth
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408389:408457
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=408457:408535

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94BgCeTq1vcfqOGtSGMyISCkFgp8nTU9tBvcaWWSbIVXPBSXxLQBXXJAToq-RSRWPxpRaVQOHMfYC-SRkqP1xRdtzUhEZONN7VxndXGTrXbt3-LtoxmbpzOlrMv73MdJogBIdpkNxT_upPOekPSmPLlS-l-zg?testcase_id=6414545329586176
HTTP/5.0 407
Proxy-Authenticate:Basic
Content-Length:3

P=^:


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot