Suspected CL
https://chromium.googlesource.com/chromium/src/+/808f09ae9b773d69c271aedd63157b2b020cd0a2%5E%21/third_party/WebKit/Source/platform/text/SegmentedString.h

tkent@, could you please take a look and help us to find correct owner if it is not related your changes.

This is not related to my change.
Assign kouhei@ for triage.

+mmoroz, do you know if clusterfuzz was executing ASSERT_UNUSED? tkent your patch might have exposed this dcheck actually :)

Hm, as I see:

-#define ASSERT_UNUSED(variable, assertion) ASSERT(assertion)


for debug build both ASSERT and DCHECK should be available. I don't think that replacing of ASSERT_UNUSED wit DCHECK could cause the crash.

Confirmed local repro

OK. Looks like it is the fuzzer that's broken. The HTMLTokenizerNames are all null.

Fix @ https://codereview.chromium.org/2465213002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/923cc839a733579c5b768f1f9c2d84729c72f833

commit 923cc839a733579c5b768f1f9c2d84729c72f833
Author: kouhei <kouhei@chromium.org>
Date: Tue Nov 01 12:22:56 2016

TextResourceDecoderFuzzer should use blink::InitializeBlinkFuzzTest

Before this CL, TextResourceDecoder was run on uninitialized Blink platform.
This CL ensures Blink is initialized by using blink::InitializeBlinkFuzzTest.

BUG= 659280 

Review-Url: https://codereview.chromium.org/2465213002
Cr-Commit-Position: refs/heads/master@{#428986}

[modify] https://crrev.com/923cc839a733579c5b768f1f9c2d84729c72f833/third_party/WebKit/Source/core/BUILD.gn
[modify] https://crrev.com/923cc839a733579c5b768f1f9c2d84729c72f833/third_party/WebKit/Source/core/html/parser/TextResourceDecoderFuzzer.cpp

ClusterFuzz has detected this issue as fixed in range 428837:429212.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6029853636952064

Fuzzer: libfuzzer_text_resource_decoder_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x03e90000228f
Crash State:
  base::debug::DebugBreak
  blink::SegmentedString::advanceAndASSERT
  blink::HTMLTokenizer::nextToken
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=423501:423546
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=428837:429212

Minimized Testcase (0.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv950tE-JtSt7Ei7u7hcWZZphOqFg5ajZWw27uUeZeuQ1ijb2WwlOjEwZIpajvGwUtjyxEyqpH0_PhTICKTARE9gqK2Y-4S8JwsyxiMa-VwdX4JAcMJ-aA2HLP42qco4K8P13I8Z_47DCOYBTYFrtVT0CX3tsrQ?testcase_id=6029853636952064

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot