esprehn@ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !

The bisect is just to landing the fuzzer, the bug is older.

Hey look it's MediaValues crashing in Oilpan again:

SCARINESS: 10 (null-deref)
    #0 0x1178e63d0 in get third_party/WebKit/Source/wtf/ThreadSpecific.h:149:57
    #1 0x1178e63d0 in operator blink::ThreadState ** third_party/WebKit/Source/wtf/ThreadSpecific.h:261
    #2 0x1178e63d0 in operator* third_party/WebKit/Source/wtf/ThreadSpecific.h:281
    #3 0x1178e63d0 in current third_party/WebKit/Source/platform/heap/ThreadState.h:211
    #4 0x1178e63d0 in state third_party/WebKit/Source/platform/heap/ThreadState.h:713
    #5 0x1178e63d0 in unsigned char* blink::ThreadHeap::allocate<blink::MediaValues>(unsigned long, bool) third_party/WebKit/Source/platform/heap/Heap.h:571
    #6 0x1178e4df7 in allocateObject third_party/WebKit/Source/platform/heap/Heap.h:471:16
    #7 0x1178e4df7 in operator new third_party/WebKit/Source/platform/heap/Heap.h:466
    #8 0x1178e4df7 in blink::MediaValuesCached::create(blink::MediaValuesCached::MediaValuesCachedData const&) third_party/WebKit/Source/core/css/MediaValuesCached.cpp:53
    #9 0x118cae748 in TokenPreloadScanner third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp:503:21
    #10 0x118cae748 in TokenPreloadScanner third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp:505
    #11 0x118cae748 in blink::HTMLPreloadScanner::HTMLPreloadScanner(blink::HTMLParserOptions const&, blink::KURL const&, std::__1::unique_ptr<blink::CachedDocumentParameters, std::__1::default_delete<blink::CachedDocumentParameters> >, blink::MediaValuesCached::MediaValuesCachedData const&) third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp:766
    #12 0x10ec0b2fe in create third_party/WebKit/Source/core/html/parser/HTMLPreloadScanner.h:162:31
    #13 0x10ec0a2a2 in LLVMFuzzerTestOneInput third_party/WebKit/Source/core/html/parser/HTMLPreloadScannerFuzzer.cpp:64:51
    #14 0x10ec0b507 in LLVMFuzzerTestOneInput third_party/WebKit/Source/core/html/parser/HTMLPreloadScannerFuzzer.cpp:78:12
    #15 0x10ec21c93 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:481:13
    #16 0x10ec20cf1 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) third_party/libFuzzer/src/FuzzerLoop.cpp:437:3
    #17 0x10ec21284 in RunOne third_party/libFuzzer/src/FuzzerInternal.h:459:39
    #18 0x10ec21284 in ShuffleAndMinimize third_party/libFuzzer/src/FuzzerLoop.cpp:404
    #19 0x10ec12def in FuzzerDriver third_party/libFuzzer/src/FuzzerDriver.cpp:511:5
    #20 0x10ec31235 in main third_party/libFuzzer/src/FuzzerMain.cpp:21:10
    #0 0x10ec09633 in html_preload_scanner_fuzzer

Hm. Something looks wrong here. The testcase is an empty file, and the fuzzer isn't running in a multithreaded environment (usually the reason why MediaValues causes issues).

I will take a look but I suspect this might be issues with the fuzzing environment.

Yeah, I agree that this would be a bug of the fuzzer. It looks like that HTMLPreloadScannerFuzzer is starting the fuzzer without setting up Oilpan correctly.

Yupp. Will try to figure something out. I tried to set up the environment as close to webkit_unit_tests as possible, but I could have missed something.

ClusterFuzz has detected this issue as fixed in range 423384:423408.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5692623044214784

Fuzzer: libfuzzer_html_preload_scanner_fuzzer
Job Type: mac_libfuzzer_chrome_asan
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  get
  current
  state
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=416314:416319
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_libfuzzer_chrome_asan&range=423384:423408

Minimized Testcase (0.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv948SRGvv8KAmtNq8BGZ0X5FjHnKdu_a7PnePYyGZPY_Pdy0G8qVZ7x07h-3bC7254ZOUMlPtthgmjcHaDqIcUTVz9sjjbFaw45BCBQoHJ_Aum5PExCDcuxy-k7prUweQ2QYF_RqgG7dNTXZNDYaPSWPVYum3g?testcase_id=5692623044214784

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot