Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 77 of file Member.h, which is stack frame 0.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 57 of file ElementVisibilityObserver.cpp, which is stack frame 1.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 3989 of file HTMLMediaElement.cpp, which is stack frame 2.

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/27d1e313968955f1a120b65b31e316263365b1b3
Time: Tue Sep 13 05:28:59 2016
The CL last changed line 64 of file callback.h, which is stack frame 3.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 220 of file Functional.h, which is stack frame 4.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 72 of file ElementVisibilityObserver.cpp, which is stack frame 5.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 434 of file IntersectionObserver.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>MemoryAllocator
=============================================

None of the changes from the above Find It result looks related.

Based on code search on 'ElementVisibilityObserver.cpp' suspected change: https://codereview.chromium.org/2401303002.

mlamouri@: Could you please take a look at this and help in further investigation.

Thank you!

It was caused by https://codereview.chromium.org/2322143002

It seems that we now have a race (the crash isn`t actually 100% reproducible) between stopping the observation from `.muted = false;` and receiving a visibility change event because in the same event loop the element becomes visible.

Sometimes, we will receive the event even though we disconnected the observer and we assume that if we receive an event, the observer is still here (so we call `->stop()` on it).

The obvious fix is to stop making this assumption but I'm not sure that's the right fix because it sounds odd to receive events after asking to stop receiving them.

Assigning to ojan@ who wrote the CL that changed the timing of IntersectionObserver. He might have insights regarding why things happen this way and the best way to fix this.

It's seems reasonable to me that calling disconnect or unobserve should remove pending records for that element. szager, wdyt? If we change this, we should update the spec as well.

Yeah, I think when we were using idle callback, we didn't want to remove pending records when disconnect or unobserve was called; but now that we're using post task, I think that's fine.

ClusterFuzz has detected this issue as fixed in range 425585:425587.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4685916222521344

Fuzzer: inferno_twister
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::ElementVisibilityObserver::stop
  blink::HTMLMediaElement::onVisibilityChangedForAutoplay
  blink::ElementVisibilityObserver::onVisibilityChanged
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=417794:417842
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=425585:425587

Minimized Testcase (155.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97a5008rwpwaIjodyk9cY3x6hZiBW9nXSXCBqLlBrRtuLVFGCNx1hN57bk40SZxiisIjhFo88YS7-p7Xes1cxjg0HveCIdP2SSAsSKbntj-7b7Nc_drJGAlF0dfXO9UES0jz0r4gzqSyaonl7OLL5Dr8zYTWVuzLeVQD1IDazM0mwSwTXY?testcase_id=4685916222521344

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

I think clusterfuzz is getting tricked by the flaky nature of this issue :)

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Unable to reproduce and neither is clusterfuzz.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.