Same results can be achived  with offset 0x332c with command line 

afl-fuzz.exe -i in -o elf -D c:\fuzz\dyn\bin64 -t 20000+ -m 15000 -- -coverage_module chrome_child.dll -coverage_module chrome.dll -coverage_module chrome.exe -coverage_module chrome_elf.dll -target_module chrome_elf.dll -target_offset 0x332c -nargs 3 -- c:\progra~2\Google\Chrome\Application\chrome.exe @@

Hey Will, I'm not a Windows expert and I don't have any tools to read dmps to hand. Do you mind taking a look at this? I'm tentatively assigning a high impact due to a browser process crash.

there's nothing in the crashes directory here, just an invalid HTML file in the hang directory which doesn't cause a hang.

Please supply just the actionable test case or a full stack trace.

Also, you seem to have appcompat shims loaded for Chrome - we don't support app compat shims for Chrome.

.  0  Id: 33b0.2fc0 Suspend: 0 Teb: 000007ff`fffde000 Unfrozen
 # Child-SP          RetAddr           Call Site
00 00000000`0027d988 00000000`76eedec2 0xbf292d60
01 00000000`0027d990 00000000`76eee2c5 ntdll!RtlReportExceptionEx+0x1d2
02 00000000`0027da80 00000000`76eee32a ntdll!RtlReportException+0xb5
03 00000000`0027db00 00000000`76eef2b5 ntdll!RtlpTerminateFailureFilter+0x1a
04 00000000`0027db30 00000000`76e478c8 ntdll!RtlReportCriticalFailure+0x96
05 00000000`0027db60 00000000`76e57e8d ntdll!_C_specific_handler+0x8c
06 00000000`0027dbd0 00000000`76e484cf ntdll!RtlpExecuteHandlerForException+0xd
07 00000000`0027dc00 00000000`76e48ac8 ntdll!RtlDispatchException+0x45a
08 00000000`0027e2e0 00000000`76eef262 ntdll!RtlRaiseException+0x22f
09 00000000`0027ec90 00000000`76eef846 ntdll!RtlReportCriticalFailure+0x62
0a 00000000`0027ed60 00000000`76ef0412 ntdll!RtlpReportHeapFailure+0x26
0b 00000000`0027ed90 00000000`76ef2084 ntdll!RtlpHeapHandleError+0x12
0c 00000000`0027edc0 00000000`76e8a162 ntdll!RtlpLogHeapFailure+0xa4
0d 00000000`0027edf0 000007fe`d9f77e5f ntdll!RtlFreeHeap+0x72
0e 00000000`0027ee70 00000000`76d31a0a AcXtrnal!NS_FaultTolerantHeap::APIHook_RtlFreeHeap+0x3e3
*** WARNING: Unable to verify checksum for chrome_elf.dll
0f 00000000`0027eed0 000007fe`dfd28b88 kernel32!HeapFree+0xa
10 00000000`0027ef00 000007fe`dfd268d3 chrome_elf!crash_reporter::internal::PlatformCrashpadInitialization(bool initial_client = <Value unavailable error>)+0x68c [c:\b\build\slave\win64-pgo\build\src\components\crash\content\app\crashpad_win.cc @ 119]
11 00000000`0027f450 000007fe`dfd11ef7 chrome_elf!crash_reporter::`anonymous namespace'::InitializeCrashpadImpl(bool initial_client = true, class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * process_type = 0x00000000`0027f790 "")+0x6f [c:\b\build\slave\win64-pgo\build\src\components\crash\content\app\crashpad.cc @ 151]
12 (Inline Function) --------`-------- chrome_elf!crash_reporter::InitializeCrashpadWithEmbeddedHandler+0x1a [c:\b\build\slave\win64-pgo\build\src\components\crash\content\app\crashpad.cc @ 203]
13 00000000`0027f730 000007fe`dfd142be chrome_elf!ChromeCrashReporterClient::InitializeCrashReportingForProcess(void)+0x133 [c:\b\build\slave\win64-pgo\build\src\chrome\app\chrome_crash_reporter_client_win.cc @ 232]
14 (Inline Function) --------`-------- chrome_elf!?A0xf7f65a15::InitializeCrashReportingForProcess+0x45 [c:\b\build\slave\win64-pgo\build\src\chrome_elf\chrome_elf_main.cc @ 49]
15 00000000`0027f7d0 00000001`3f102116 chrome_elf!SignalInitializeCrashReporting(void)+0x5a [c:\b\build\slave\win64-pgo\build\src\chrome_elf\chrome_elf_main.cc @ 92]
16 00000000`0027f830 00000001`3f189d7a chrome!wWinMain(struct HINSTANCE__ * instance = 0x00000001`3f100000, struct HINSTANCE__ * prev = 0x00000000`0000000a, wchar_t * __formal = 0x00000000`00000000 "", int __formal = 0n0)+0x4a [c:\b\build\slave\win64-pgo\build\src\chrome\app\chrome_exe_main_win.cc @ 212]
17 (Inline Function) --------`-------- chrome!invoke_main+0x21 [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 113]
18 00000000`0027fca0 00000000`76d259cd chrome!__scrt_common_main_seh(void)+0x11e [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 255]
19 00000000`0027fce0 00000000`76e5a2e1 kernel32!BaseThreadInitThunk+0xd
1a 00000000`0027fd10 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:000> !analyze -v -f 
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for user32.dll - 

************* Symbol Loading Error Summary **************
Module name            Error
user32                 An extended error was returned from the WinHttp server : srv*https://msdl.microsoft.com/download/symbols
                       The system cannot find the file specified : srv*c:\code\symbols*https://chromium-browser-symsrv.commondatastorage.googleapis.com
                       The system cannot find the file specified : c:\symbols

You can troubleshoot most symbol related issues by turning on symbol loading diagnostics (!sym noisy) and repeating the command that caused symbols to be loaded.
You should also verify that your symbol search path (.sympath) is correct.

DUMP_CLASS: 2

DUMP_QUALIFIER: 400

CONTEXT:  (.ecxr)
rax=00000000778f76a7 rbx=00000000c0000374 rcx=000000000027e680
rdx=0000000076f68430 rsi=0000000000000000 rdi=0000000076f68430
rip=0000000076eef262 rsp=000000000027ec90 rbp=00000000003ef070
 r8=7f22d35c01ba5946  r9=000000001f1a4416 r10=0000000000000000
r11=0000000000000286 r12=0000000000000008 r13=0000000000000000
r14=0000000000000001 r15=000007fedfd7e3b0
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
ntdll!RtlReportCriticalFailure+0x62:
00000000`76eef262 eb00            jmp     ntdll!RtlReportCriticalFailure+0x64 (00000000`76eef264)
Resetting default scope

FAULTING_IP: 
ntdll!RtlReportCriticalFailure+62
00000000`76eef262 eb00            jmp     ntdll!RtlReportCriticalFailure+0x64 (00000000`76eef264)

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 0000000076eef262 (ntdll!RtlReportCriticalFailure+0x0000000000000062)
   ExceptionCode: c0000374
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 0000000076f68430

PROCESS_NAME:  chrome.exe

ERROR_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_CODE: (NTSTATUS) 0xc0000374 - A heap has been corrupted.

EXCEPTION_CODE_STR:  c0000374

EXCEPTION_PARAMETER1:  0000000076f68430

WATSON_BKT_PROCSTAMP:  582209d1

WATSON_BKT_PROCVER:  54.0.2840.99

PROCESS_VER_PRODUCT:  Google Chrome

WATSON_BKT_MODULE:  ntdll.dll

WATSON_BKT_MODSTAMP:  57d2fde1

WATSON_BKT_MODOFFSET:  bf262

WATSON_BKT_MODVER:  6.1.7601.23543

MODULE_VER_PRODUCT:  Microsoft® Windows® Operating System

BUILD_VERSION_STRING:  6.1.7601.23543 (win7sp1_ldr.160909-0600)

MODLIST_WITH_TSCHKSUM_HASH:  10cdd8643009a99d0c6c4dcb800aae12c4944d16

MODLIST_SHA1_HASH:  0b5ff19e9ed9739ac0193081eac7c47d40a4c667

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

DUMP_FLAGS:  94

DUMP_TYPE:  1

APP:  chrome.exe

ANALYSIS_SESSION_HOST:  YY014800

ANALYSIS_SESSION_TIME:  11-23-2016 10:04:39.0352

ANALYSIS_VERSION: 10.0.10586.567 amd64fre

IP_ON_HEAP:  00000000bf292d60
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

THREAD_ATTRIBUTES: 
LAST_CONTROL_TRANSFER:  from 0000000076eef846 to 0000000076eef262

FAULTING_THREAD:  ffffffff

THREAD_SHA1_HASH_MOD_FUNC:  4008bda41f37758d00fb10137bc422efa19393f6

THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  12b98d1baa3650abfdfbd28a377d0a2950fad762

OS_LOCALE:  ENU

PROBLEM_CLASSES: 



ACTIONABLE_HEAP_CORRUPTION
    Tid    [0x2fc0]
    Frame  [0x03]: ntdll!RtlpLogHeapFailure
    String [heap_failure_block_not_busy]
    Failure Bucketing



DOUBLE_FREE
    Tid    [0x2fc0]
    Frame  [0x03]: ntdll!RtlpLogHeapFailure


BUGCHECK_STR:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE

DEFAULT_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

STACK_TEXT:  
00000000`76f68498 00000000`76e8a162 ntdll!RtlFreeHeap+0x72
00000000`76f684a0 000007fe`d9f77e5f acxtrnal!NS_FaultTolerantHeap::APIHook_RtlFreeHeap+0x3e3
00000000`76f684a8 00000000`76d31a0a kernel32!HeapFree+0xa
00000000`76f684b0 000007fe`dfd28b88 chrome_elf!crash_reporter::internal::PlatformCrashpadInitialization+0x68c
00000000`76f684b8 000007fe`dfd268d3 chrome_elf!crash_reporter::`anonymous namespace'::InitializeCrashpadImpl+0x6f
00000000`76f684c0 000007fe`dfd11ef7 chrome_elf!ChromeCrashReporterClient::InitializeCrashReportingForProcess+0x133
00000000`76f684c8 000007fe`dfd142be chrome_elf!SignalInitializeCrashReporting+0x5a
00000000`76f684d0 00000001`3f102116 chrome!wWinMain+0x4a
00000000`76f684d8 00000001`3f189d7a chrome!__scrt_common_main_seh+0x11e
00000000`76f684e0 00000000`76d259cd kernel32!BaseThreadInitThunk+0xd
00000000`76f684e8 00000000`76e5a2e1 ntdll!RtlUserThreadStart+0x1d


THREAD_SHA1_HASH_MOD:  69d31c89573f484c1e7026b19dce7ca02ec44cf4

FOLLOWUP_IP: 
chrome_elf!crash_reporter::internal::PlatformCrashpadInitialization+68c [c:\b\build\slave\win64-pgo\build\src\components\crash\content\app\crashpad_win.cc @ 119]
000007fe`dfd28b88 4533c0          xor     r8d,r8d

FAULT_INSTR_CODE:  48c03345

FAULTING_SOURCE_LINE:  c:\b\build\slave\win64-pgo\build\src\components\crash\content\app\crashpad_win.cc

FAULTING_SOURCE_FILE:  c:\b\build\slave\win64-pgo\build\src\components\crash\content\app\crashpad_win.cc

FAULTING_SOURCE_LINE_NUMBER:  119

SYMBOL_STACK_INDEX:  3

SYMBOL_NAME:  chrome_elf!crash_reporter::internal::PlatformCrashpadInitialization+68c

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: chrome_elf

IMAGE_NAME:  chrome_elf.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  5821f345

STACK_COMMAND:  dps 76f68498 ; kb

FAILURE_BUCKET_ID:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_c0000374_chrome_elf.dll!crash_reporter::internal::PlatformCrashpadInitialization

BUCKET_ID:  X64_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE_chrome_elf!crash_reporter::internal::PlatformCrashpadInitialization+68c

PRIMARY_PROBLEM_CLASS:  X64_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE_chrome_elf!crash_reporter::internal::PlatformCrashpadInitialization+68c

BUCKET_ID_OFFSET:  68c

BUCKET_ID_MODULE_STR:  chrome_elf

BUCKET_ID_MODTIMEDATESTAMP:  5821f345

BUCKET_ID_MODCHECKSUM:  749bb

BUCKET_ID_MODVER_STR:  54.0.2840.99

BUCKET_ID_PREFIX_STR:  X64_ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy_DOUBLE_FREE_

FAILURE_PROBLEM_CLASS:  ACTIONABLE_HEAP_CORRUPTION_heap_failure_block_not_busy

FAILURE_EXCEPTION_CODE:  c0000374

FAILURE_IMAGE_NAME:  chrome_elf.dll

FAILURE_FUNCTION_NAME:  crash_reporter::internal::PlatformCrashpadInitialization

BUCKET_ID_FUNCTION_STR:  crash_reporter::internal::PlatformCrashpadInitialization

FAILURE_SYMBOL_NAME:  chrome_elf.dll!crash_reporter::internal::PlatformCrashpadInitialization

WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/chrome.exe/54.0.2840.99/582209d1/ntdll.dll/6.1.7601.23543/57d2fde1/c0000374/000bf262.htm?Retriage=1

TARGET_TIME:  2016-11-21T18:24:45.000Z

OSBUILD:  7601

OSSERVICEPACK:  23543

SERVICEPACK_NUMBER: 0

OS_REVISION: 0

SUITE_MASK:  256

PRODUCT_TYPE:  1

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 7

OSEDITION:  Windows 7 WinNt (Service Pack 1) SingleUserTS

USER_LCID:  0

OSBUILD_TIMESTAMP:  2016-09-09 23:53:34

BUILDDATESTAMP_STR:  160909-0600

BUILDLAB_STR:  win7sp1_ldr

BUILDOSVER_STR:  6.1.7601.23543

ANALYSIS_SESSION_ELAPSED_TIME: 19d2

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:actionable_heap_corruption_heap_failure_block_not_busy_c0000374_chrome_elf.dll!crash_reporter::internal::platformcrashpadinitialization

FAILURE_ID_HASH:  {57f3e215-0dce-19da-4347-6042434485f3}

Followup:     MachineOwner
---------



here is the full stack trace 

The problem with test case is its only reproducible with WinAfl fuzzer 


i have attached the dump file for the crash  


but if executed with WinAfl 

with the command lines 

1. afl-fuzz.exe -i in -o elf -D c:\fuzz\dyn\bin64 -t 20000+ -m 15000 -- -coverage_module chrome_child.dll -coverage_module chrome.dll -coverage_module chrome.exe -coverage_module chrome_elf.dll -target_module chrome_elf.dll -target_offset 0x332c -nargs 3 -- c:\progra~2\Google\Chrome\Application\chrome.exe @@


2. afl-fuzz.exe -i in -o elf -D c:\fuzz\dyn\bin64 -t 20000+ -m 15000 -- -coverage_module chrome_child.dll -coverage_module chrome.dll -coverage_module chrome.exe -coverage_module chrome_elf.dll -target_module chrome_elf.dll -target_offset 0x3184 -nargs 3 -- c:\progra~2\Google\Chrome\Application\chrome.exe @@



it can be validated as a hang file will be there but most probably its not minimized or we can say is a dirty test case that is why it can not be reproduced 

Deleted: chrome.exe.13232.dmp 4.6 MB

chrome.exe.13232.dmp 4.6 MB Download

romi007r, we are not able to reproduce this without a reproducer. Most likely, something is going wrong here with the instrumentation.

I've noticed that you've made many similar reports in the past, most of which have been marked WontFix -- If you are fuzzing Chrome, we recommend using an AddressSanitizer build from e.g. here http://commondatastorage.googleapis.com/chromium-browser-asan/index.html