[mac triage] The bisect is small -> maybe r389400

commit	e5f18f7973b22a5a35fab927e2af848917e4827b	
author	sigbjornf <sigbjornf@opera.com>	Sun Apr 24 08:09:31 2016
committer	Commit bot <commit-bot@chromium.org>	Sun Apr 24 08:13:54 2016
Add DataPersistent<> for copy-on-modify and use for StyleFilterData.


(or maybe clusterfuzz gone wonky)

Blame suggests something like r385752 (lukasza@)

That CL looks random, but i can take a look -- fuzzers have tripped up on MockSpeechRecognizer in the past.

https://codereview.chromium.org/2525933002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/879066620c73422866ee6022415e8b436af12a9c

commit 879066620c73422866ee6022415e8b436af12a9c
Author: sigbjornf <sigbjornf@opera.com>
Date: Mon Nov 28 23:38:20 2016

Handle overlapping uses of MockWebSpeechRecognizer.

More than one speech recognition object may exist at the same time,
all sharing a single MockWebSpeechRecognizer underneath when
running layout tests.

Overlapping uses of speech recognizer objects weren't something
the mock object was designed to gracefully handle, hence fuzzer
inputs would leave the mock object in an invalid state and crash,
when they attempted to do so.

Rather than try to ignore and prevent overlapping uses from going
ahed, we extend MockWebSpeechRecognizer with support for handling
them, queueing recognizer context switching tasks that will run
upon completion of the currently ongoing sequence of tasks that
a speech recognizer object expects.

R=
BUG= 668019 

Review-Url: https://codereview.chromium.org/2525933002
Cr-Commit-Position: refs/heads/master@{#434777}

[modify] https://crrev.com/879066620c73422866ee6022415e8b436af12a9c/components/test_runner/mock_web_speech_recognizer.cc
[modify] https://crrev.com/879066620c73422866ee6022415e8b436af12a9c/components/test_runner/mock_web_speech_recognizer.h
[add] https://crrev.com/879066620c73422866ee6022415e8b436af12a9c/third_party/WebKit/LayoutTests/fast/speech/scripted/start-multiple-expected.txt
[add] https://crrev.com/879066620c73422866ee6022415e8b436af12a9c/third_party/WebKit/LayoutTests/fast/speech/scripted/start-multiple.html

ClusterFuzz has detected this issue as fixed in range 434632:434636.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6315393783431168

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::EventTarget::dispatchEvent
  test_runner::MockWebSpeechRecognizer::RunTaskFromQueue
  base::debug::TaskAnnotator::RunTask
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=389396:389402
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=434632:434636

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94VBZu9kzNtaI78h434icCMlqmueQXCqizJchXZ9crRrGjMfgI0eMMImPqFxWUWFET47vH6J_BtTIdcJWf-yNTbLbqpOsZwfWtifdOj-aQFa9rX5ksXH8eS5nSPlc_pfXtACoLA8AL_HeLI6DwK4KHvFuhzAQ?testcase_id=6315393783431168
<script>
  var recognition = new webkitSpeechRecognition();
  recognition.start();
  var recognition2 = new webkitSpeechRecognition();
  recognition2.start();
  </script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.