Hmmm... this could be a serious bug and could be related to  issue 619294 .

I'll take over this issue from nhiroki@.

Thank you!

ServiceWorkerProviderHost::AddMatchingRegistration() is called from...

1) ServiceWorkerRegisterJob::AddRegistrationToMatchingProviderHosts,
2) ServiceWorkerProviderHost::AddAllMatchingRegistrations(), and
3) ServiceWorkerProviderHost::AssociateRegistration()

1) and 2) make sure the scope matching before calling AddMatchingRegistration(), so the precondition seems to be broken somewhere on the callpath of 3).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f6c9b6f8d1880e0746a1e7cd1712d8c541264cdd

commit f6c9b6f8d1880e0746a1e7cd1712d8c541264cdd
Author: shimazu <shimazu@chromium.org>
Date: Tue Aug 09 11:09:08 2016

ServiceWorker: DCHECK is changed to CHECK to track the failure

This patch is to figure the cause of failure out by the crash dashboard.

BUG= 634222 

Review-Url: https://codereview.chromium.org/2223413002
Cr-Commit-Position: refs/heads/master@{#410630}

[modify] https://crrev.com/f6c9b6f8d1880e0746a1e7cd1712d8c541264cdd/content/browser/service_worker/service_worker_provider_host.cc

Issue 636374 has been merged into this issue.

Crash report says the crash is caused by ClaimClients; 

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20product.version%3D%2754.0.2825.0%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration%27%20OMIT%20RECORD%20IF%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration(content%3A%3AServiceWorkerRegistration%20*)%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.SourceFileName%3D%27c%3A%5C%5Cb%5C%5Cbuild%5C%5Cslave%5C%5Cwin64-pgo%5C%5Cbuild%5C%5Csrc%5C%5Ccontent%5C%5Cbrowser%5C%5Cservice_worker%5C%5Cservice_worker_provider_host.cc%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration(content%3A%3AServiceWorkerRegistration%20*)%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerRegistration%3A%3AClaimClients()%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration(content%3A%3AServiceWorkerRegistration%20*)%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerRegistration%3A%3AClaimClients()%27)%20%3D%200&ignore_case=false&enable_rewrite=false&omit_field_name=&omit_field_value=&omit_field_opt=&stbtiq=&reportid=&index=0#0

Users experienced this crash on the following builds:

Win Canary 54.0.2825.0 -  5.57 CPM, 59 reports, 53 clients (signature content::ServiceWorkerProviderHost::AddMatchingRegistration)
Mac Canary 54.0.2825.0 -  4.58 CPM, 16 reports, 15 clients (signature content::ServiceWorkerProviderHost::AddMatchingRegistration)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This crash has high impact on Chrome's stability.
Signature: content::ServiceWorkerProviderHost::AddMatchingRegistration.
Channel: canary. Platform: win.
Labeling  issue 634222  with ReleaseBlock-Dev.


If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This crash happens around [1]. I investigate around there.

1) [1] is called in ServiceWorkerProviderHost::ClaimedByRegistration ([2] SWRegistration.cc, l.207) This means host->MatchRegistration() is equal to 'this'.
2) [1] is executed in ClaimedByRegistration ([3]: SWProviderHost.cc, l.431) This means registration (which is 'this') is different from |associated_registration_| in the ServiceWorkerProviderHost. If my understanding is correct, this is the case when SWProviderHost::DisassociateRegistration() is called but SWProviderHost::AssociateRegistration is not called. 
3) In this situation, registration.pattern() and document_url doesn't match, then CHECK makes crash.

I'm still not sure why document_url_ and registration.pattern doesn't match, but as ukai-san says 'so prompt ServiceLogin page', I suspect that a combination of claim and redirection causes the error.
ex) redirect from another page (in scope of another serviceworker?) -> install and claim() though the provider has the previous information
but actually this doesn't happen because PrepareForMainResource after redirect set the correct information...

[1]: https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20product.version%3E%3D%2754.0%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration%27%20AND%20crash.Reason%3D%27EXCEPTION_ACCESS_VIOLATION_WRITE%27%20AND%20clientid%3D%27b0f72531-7898-4dc1-baf2-7e662de5aab7%27%20OMIT%20RECORD%20IF%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration(content%3A%3AServiceWorkerRegistration%20*)%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.SourceFileName%3D%27c%3A%5C%5Cb%5C%5Cbuild%5C%5Cslave%5C%5Cwin64-pgo%5C%5Cbuild%5C%5Csrc%5C%5Ccontent%5C%5Cbrowser%5C%5Cservice_worker%5C%5Cservice_worker_provider_host.cc%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration(content%3A%3AServiceWorkerRegistration%20*)%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerRegistration%3A%3AClaimClients()%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration(content%3A%3AServiceWorkerRegistration%20*)%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerRegistration%3A%3AClaimClients()%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerVersion%3A%3AOnClaimClients(int)%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration(content%3A%3AServiceWorkerRegistration%20*)%27)%20%3D%200%20OR%20SUM(CrashedStackTrace.StackFrame.FunctionName%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration(content%3A%3AServiceWorkerRegistration%20*)%27)%20%3D%200&ignore_case=false&enable_rewrite=false&omit_field_name=&omit_field_value=&omit_field_opt=&stbtiq=&reportid=f8a96c4100000000&index=0#4

[2]:
https://cs.chromium.org/chromium/src/content/browser/service_worker/service_worker_provider_host.cc?q=ClaimedByRegistration&sq=package:chromium&l=423&dr=CSs

[3]: https://cs.chromium.org/chromium/src/content/browser/service_worker/service_worker_provider_host.cc?q=ClaimedByRegistration&sq=package:chromium&dr=CSs&l=431

I'm trying to add similar debugging keys to  Issue 619294 . 

Talking with nhiroki@, this crash might be related to  Issue 619294 :
 1. claim() is called, but previously it's not crashed when registration.pattern() != document_url_.
 2. After claim is done, unregister is executed and fails on OnUnregisterServiceWorker.

A merged bug affects OS-Android so adding it here.

I'm creating a new layout test: https://crrev.com/2245063003

This problem hasn't been reproduced yet. (update process doesn't seem to happen?)
I'll update the test tomorrow. 

Link to Builds on which the crash is seen:

54.0.2830.0	1.33%	11	
54.0.2829.1	1.09%	9	
54.0.2829.0	22.68%	188	
54.0.2828.0	9.89%	82	
54.0.2827.0	16.41%	136	
54.0.2826.1	1.21%	10	
54.0.2826.0	18.94%	157	
54.0.2825.0	22.44%	186	

M54 regression issue started in 54.0.2825.0

Going with RB-Dev as this is introduced after last week's Dev release [54.0.2824.0]

shimazu@, please have the fix ready by Wednesday 5 PM PST as this is blocking Dev's release which got re-scheduled to this Thursday [8/18].

Link to Builds on which this crash is seen:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D

This problem could be reproduced by https://crrev.com/2245063003 . (updated the test)

The scenario was:

1. Access to a in-scope page
2. A registered service worker gets started, and return a redirect response
3. Redirect to out-of-scope page
4. New service worker is installed by update procedure, and it calls skipWaiting and claim
5. On claiming, the origin of the registration is the same with the in-scope page accessed at step 1, but provide_host has a document_url set at step 3 (out-of-scope page), so ScopeMatch fails

To fix them, we have to clear the state of a provider_host when redirecting. This might be similar to SWRequestHandler::PrepareForCrossSiteTransfer[1]. I'll investigate the procedure more.

[1]: https://cs.chromium.org/chromium/src/content/browser/service_worker/service_worker_request_handler.cc?sq=package:chromium&rcl=1471375518&l=159

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8ec4b9245178dfe3761af5fd09da53488d46f356

commit 8ec4b9245178dfe3761af5fd09da53488d46f356
Author: shimazu <shimazu@chromium.org>
Date: Wed Aug 17 04:07:17 2016

ServiceWorker: Restore CHECK to DCHECK

Enough information has been gathered for debugging, so it's restored.

BUG= 634222 
R=nhiroki

Review-Url: https://codereview.chromium.org/2256513003
Cr-Commit-Position: refs/heads/master@{#412446}

[modify] https://crrev.com/8ec4b9245178dfe3761af5fd09da53488d46f356/content/browser/service_worker/service_worker_provider_host.cc

I'm now checking if |matching_registrations_| is correctly stored.
I was guessing it contained all live registrations whose scopes are matching with the document_url, but it had only one matching registration though I registered three registrations whose scopes were like 'scope', 'scope1', 'scope12'. 

Hense, I'm now suspecting this mechanism might be broken. I'll consider about the structure tmrw.

Since the CHECK has been converted back to a DCHECK I don't think this needs to block dev anymore.  Next time you'd like to enable a CHECK, if you could ping someone from the release team (myself, bustamante@) to coordinate (to avoid landing right before a dev push or a branch or something) it would be appreciated.

Issue 639443 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/90ac0459a2f02d2eaae991314f9b540f9fa97f4a

commit 90ac0459a2f02d2eaae991314f9b540f9fa97f4a
Author: shimazu <shimazu@chromium.org>
Date: Tue Aug 23 07:03:39 2016

ServiceWorker: Call SyncMatchingRegistration when document_url is changed

For details:  https://crbug.com/634222 

BUG= 634222 , 619294 , 454250 

Review-Url: https://codereview.chromium.org/2245063003
Cr-Commit-Position: refs/heads/master@{#413682}

[modify] https://crrev.com/90ac0459a2f02d2eaae991314f9b540f9fa97f4a/content/browser/service_worker/service_worker_provider_host.cc
[modify] https://crrev.com/90ac0459a2f02d2eaae991314f9b540f9fa97f4a/content/browser/service_worker/service_worker_provider_host.h
[modify] https://crrev.com/90ac0459a2f02d2eaae991314f9b540f9fa97f4a/content/browser/service_worker/service_worker_provider_host_unittest.cc
[modify] https://crrev.com/90ac0459a2f02d2eaae991314f9b540f9fa97f4a/content/browser/service_worker/service_worker_request_handler.cc
[add] https://crrev.com/90ac0459a2f02d2eaae991314f9b540f9fa97f4a/third_party/WebKit/LayoutTests/http/tests/serviceworker/claim-with-redirect.html
[add] https://crrev.com/90ac0459a2f02d2eaae991314f9b540f9fa97f4a/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/claim-with-redirect-iframe.html
[add] https://crrev.com/90ac0459a2f02d2eaae991314f9b540f9fa97f4a/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/update-claim-worker.php

 Issue 619294  has been merged into this issue.

As the following dashboard shows, no SW-related crash happened after my patch has been landed (after 54.0.2838)! :)

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20SUBSTR(product.Version%2C%206%2C%204)%20%3E%3D%20%272838%27%20AND%20(custom_data.ChromeCrashProto.magic_signature_1.file_path%20CONTAINS%20%27serviceworker%27%20OR%20custom_data.ChromeCrashProto.magic_signature_1.file_path%20CONTAINS%20%27service_worker%27)&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=

This fix improves SW stability; this patch will solve the second crasher at the following dashboard.
I'd like to merge this into M53 (beta).

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20SUBSTR(product.Version%2C%201%2C%202)%20%3E%3D%20%2752%27%20AND%20(custom_data.ChromeCrashProto.magic_signature_1.file_path%20CONTAINS%20%27serviceworker%27%20OR%20custom_data.ChromeCrashProto.magic_signature_1.file_path%20CONTAINS%20%27service_worker%27)&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=

[Automated comment] Less than 2 weeks to go before stable on M53, manual review required.

I'd like to merge it into stable because this will solve a big crash cause:  Issue 619294 .
For my four days observation, this won't have any regression, and this will not cause other regression I think, but actually I want to have a bit more time to merge to be sure this definitely doesn't have no regression.

Ok, sounds good. It will miss First Desktop Stable candidate cut. We can pick it up for next Stable cut if all looks good. Thank you.

We're cutting our Chrome for Android stable candidate tomorrow night; if you want this change included, please merge - approved for branch 2785.

I chatted with govind@ yesterday and decided to wait for the next Dev (will be released today?) which includes my fix. After that, I'll observe the crash dashboard until this Thursday JST to confirm it won't cause any other regression. 
Could you approve again after my report of the observation?

+ amineer@, PTAL comment #29 please.

No reason not to just leave the approval, please remove it if you find crashes, otherwise merge if no crashes.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/afb2f14ceb5456b460770434f19ea690430b8a68

commit afb2f14ceb5456b460770434f19ea690430b8a68
Author: shimazu <shimazu@chromium.org>
Date: Thu Sep 01 02:39:26 2016

ServiceWorker: Enable CHECK to confirm crash doesn't happen

This patch is to confirm crashes are gone.

BUG= 634222 

Review-Url: https://codereview.chromium.org/2288613002
Cr-Commit-Position: refs/heads/master@{#415859}

[modify] https://crrev.com/afb2f14ceb5456b460770434f19ea690430b8a68/content/browser/service_worker/service_worker_provider_host.cc

Users experienced this crash on the following builds:

Android Beta 53.0.2785.80 -  0.51 CPM, 49 reports, 49 clients (signature [Renderer kill 54] content::ServiceWorkerDispatcherHost::OnUnregisterServiceWorker)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

I could confirm the patch didn't break anything and solved the problems, so I'm trying to merge. 
I'm requesting a credential of chromium-commiters group for gerrit:  Issue 643502 .
Just a moment...

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7bf12b246a2546fe2b9386df0f7893617a0eb64f

commit 7bf12b246a2546fe2b9386df0f7893617a0eb64f
Author: Matt Falkenhagen <falken@chromium.org>
Date: Fri Sep 02 05:28:34 2016

[M53] ServiceWorker: Call SyncMatchingRegistration when document_url is changed

Committing on behalf of shimazu@.

For details:  https://crbug.com/634222 

BUG= 634222 , 619294 , 454250 

Review-Url: https://codereview.chromium.org/2245063003
Cr-Commit-Position: refs/heads/master@{#413682}
(cherry picked from commit 90ac0459a2f02d2eaae991314f9b540f9fa97f4a)

Review URL: https://codereview.chromium.org/2300293002 .

Cr-Commit-Position: refs/branch-heads/2785@{#809}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[modify] https://crrev.com/7bf12b246a2546fe2b9386df0f7893617a0eb64f/content/browser/service_worker/service_worker_provider_host.cc
[modify] https://crrev.com/7bf12b246a2546fe2b9386df0f7893617a0eb64f/content/browser/service_worker/service_worker_provider_host.h
[modify] https://crrev.com/7bf12b246a2546fe2b9386df0f7893617a0eb64f/content/browser/service_worker/service_worker_provider_host_unittest.cc
[modify] https://crrev.com/7bf12b246a2546fe2b9386df0f7893617a0eb64f/content/browser/service_worker/service_worker_request_handler.cc
[add] https://crrev.com/7bf12b246a2546fe2b9386df0f7893617a0eb64f/third_party/WebKit/LayoutTests/http/tests/serviceworker/claim-with-redirect.html
[add] https://crrev.com/7bf12b246a2546fe2b9386df0f7893617a0eb64f/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/claim-with-redirect-iframe.html
[add] https://crrev.com/7bf12b246a2546fe2b9386df0f7893617a0eb64f/third_party/WebKit/LayoutTests/http/tests/serviceworker/resources/update-claim-worker.php

CHECK doesn't cause errors after my patch is landed (54.0.2838).

https://crash.corp.google.com/dremel_query_ui?q=select%0A%20REPLACE(product.Version%2C%20%27.0.%27%2C%20%27.%27)%20as%20v%2C%20count(product.Version)%20as%20c%0Afrom%0A%20crash.prod.latest%0Awhere%0A%20%20product.name%20CONTAINS%20%27Chrome%27%0A%20%20AND%20REGEXP(product.Version%2C%20r%27%5E%5Cd%7B2%7D(%5C.0)%3F%5C.%5Cd%7B4%7D%27)%0A%20%20AND%20(REPLACE(product.Version%2C%20%27.0.%27%2C%20%27.%27)%20%3E%3D%20%27xx.yyyy%27%20OR%20SUBSTR(product.Version%2C%201%2C%202)%20%3E%3D%20%2754%27)%0A%20%20AND%20(custom_data.ChromeCrashProto.magic_signature_1.file_path%20CONTAINS%20%27serviceworker%27%20OR%20custom_data.ChromeCrashProto.magic_signature_1.file_path%20CONTAINS%20%27service_worker%27)%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration%27%0Agroup%20by%0A%20%20v%0Aorder%20by%0A%20%20v%20desc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4b6d694efc24392d1516551abfc1098dd6d97bc8

commit 4b6d694efc24392d1516551abfc1098dd6d97bc8
Author: shimazu <shimazu@chromium.org>
Date: Mon Sep 05 07:20:45 2016

ServiceWorker: Disable CHECK for debug

Removes temporary CHECK added at https://crrev.com/2288613002

BUG= 634222 

Review-Url: https://codereview.chromium.org/2313543002
Cr-Commit-Position: refs/heads/master@{#416512}

[modify] https://crrev.com/4b6d694efc24392d1516551abfc1098dd6d97bc8/content/browser/service_worker/service_worker_provider_host.cc

This crash no more seen after chrome version 54.0.2831.0 and not seen in any of the M53 builds.

54.0.2831.0	19.56%	283	
54.0.2830.1	1.80%	26	
54.0.2830.0	14.03%	203	
54.0.2829.2	0.28%	4	
54.0.2829.1	0.83%	12	
54.0.2829.0	17.62%	255	
54.0.2828.1	0.41%	6	
54.0.2828.0	6.36%	92	
54.0.2827.1	0.35%	5	
54.0.2827.0	10.44%	151	
54.0.2826.1	0.83%	12	
54.0.2826.0	12.02%	174	
54.0.2825.1	0.35%	5	
54.0.2825.0	13.68%	198	
52.0.2743.116	0.21%	3	
51.0.2704.103	0.07%	1	
51.0.2704.84	0.07%	1	
51.0.2704.79	0.07%	1	
50.0.2661.102	0.83%	12	
49.0.2623.112	0.21%	3	

Link to the builds:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27browser%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3AServiceWorkerProviderHost%3A%3AAddMatchingRegistration%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000

Hence adding TE-Verified labels

NOTE : Will be monitoring the fix in chrome version 53.0.2785.101 for some more time and accordingly add TE-Verified-M53 label.