Assigning to the concern owner from Find it results --
The result is a list of CLs that change the crashed files. 

Author: sky
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/b664383006661b34cbe214ace8d488e684cb6670
Time: Wed Jan 11 22:08:45 2017
Files accelerator_controller.cc, panel_layout_manager.cc, window_selector.cc are changed in this cl (and is part of stack frame #4, "HandleToggleOverview"; frame #5, "ash::AcceleratorController::PerformAction"; frame #6, "ash::AcceleratorController::AcceleratorPressed")
Minimum distance from crash line to modified line: 70. (file: accelerator_controller.cc, crashed on: 349, modified: 419).

@sky -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Here's the trace:

	SCARINESS: 10 (null-deref)
#0 0x7f28c8ff16b4 in GetAlignment ash/common/shelf/wm_shelf.h:73:48
#1 0x7f28c8ff16b4 in ash::PanelLayoutManager::UpdateCallouts() ash/common/wm/panels/panel_layout_manager.cc:792
#2 0x7f28c8fd376f in ash::WindowSelector::Init(std::vector<ash::WmWindow*, std::allocator<ash::WmWindow*> > const&) ash/common/wm/overview/window_selector.cc:288:36
#3 0x7f28c8d3c95c in ash::WindowSelectorController::ToggleOverview() ash/common/wm/overview/window_selector_controller.cc:68:23
#4 0x7f28c8b7fd73 in HandleToggleOverview ash/common/accelerators/accelerator_controller.cc:300:49
#5 0x7f28c8b7fd73 in ash::AcceleratorController::PerformAction(ash::AcceleratorAction, ui::Accelerator const&) ash/common/accelerators/accelerator_controller.cc:1016
#6 0x7f28c8b8585c in ash::AcceleratorController::AcceleratorPressed(ui::Accelerator const&) ash/common/accelerators/accelerator_controller.cc:673:5
#7 0x7f28d183c912 in ui::AcceleratorManager::Process(ui::Accelerator const&) ui/base/accelerators/accelerator_manager.cc:91:20
#8 0x7f28c8b8d95a in ash::AcceleratorRouter::ProcessAccelerator(ash::WmWindow*, ui::KeyEvent const&, ui::Accelerator const&) ash/common/accelerators/accelerator_router.cc:60:47
#9 0x7f28d2dfbffa in wm::AcceleratorFilter::OnKeyEvent(ui::KeyEvent*) ui/wm/core/accelerator_filter.cc:45:18
#10 0x7f28c31c7093 in DispatchEvent ui/events/event_dispatcher.cc:191:12

I believe this is related to lazily creating WmShelf, which I think James did and may have backed out. Passing to him.

I re-landed my CL that defers shelf creation, so this is probably me. This crash should never happen in practice (I think it only happens if you wedge a bunch of input events into the very first message loop run) but I'll take a look next week.

My fix can be reverted when xiyuan fixes the underlying SessionStateDelegate / SessionController discrepancy. See  issue 648964 .

ClusterFuzz has detected this issue as fixed in range 444406:444508.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5679323442053120

Fuzzer: meacer_chromebot_extensions
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000020
Crash State:
  ash::PanelLayoutManager::UpdateCallouts
  ash::WindowSelector::Init
  ash::WindowSelectorController::ToggleOverview
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=442831:443258
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=444406:444508

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94uVujxXcEjUvHVJKPtdMwopIw1RqfQPrZbE7AK6zicoyB4_Ovi2H8xMIOzQdYjqTFJELY2lrextrf-Agf-3f052w8Wz8ll6GOo0S3zO177bz_Lr9Fq78sM2s_GeE6Q80ekaCQTFnyi4IvaSzTV9dWfRLnkYDEq2Ztzw_dfDfPEB5PBBEaOJ2iVWsgIfJ2iZXqhgpwqFFcyQ5c8mbQ5cVX3b0Od6kedW5j4SMv2gAPXe8Wah1XD2_XS2vheA7eVY0Kgi360My9hwvVMwQwyD905nh5-CSxJvaGlUJCkZBW16doPXCEdMxC0e_IUdtPI-yJunA2d6G-t-DPOhHknXTsjpV_wN6NzInxEyTyYCpzS7u34Cwg9lV0a8Ib38Ylvh2bQSCMBHe-9KNFWKsaR9nojh85pMw?testcase_id=5679323442053120


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 444406:444508.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5679323442053120

Fuzzer: meacer_chromebot_extensions
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000020
Crash State:
  ash::PanelLayoutManager::UpdateCallouts
  ash::WindowSelector::Init
  ash::WindowSelectorController::ToggleOverview
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=442831:443258
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=444406:444508

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94uVujxXcEjUvHVJKPtdMwopIw1RqfQPrZbE7AK6zicoyB4_Ovi2H8xMIOzQdYjqTFJELY2lrextrf-Agf-3f052w8Wz8ll6GOo0S3zO177bz_Lr9Fq78sM2s_GeE6Q80ekaCQTFnyi4IvaSzTV9dWfRLnkYDEq2Ztzw_dfDfPEB5PBBEaOJ2iVWsgIfJ2iZXqhgpwqFFcyQ5c8mbQ5cVX3b0Od6kedW5j4SMv2gAPXe8Wah1XD2_XS2vheA7eVY0Kgi360My9hwvVMwQwyD905nh5-CSxJvaGlUJCkZBW16doPXCEdMxC0e_IUdtPI-yJunA2d6G-t-DPOhHknXTsjpV_wN6NzInxEyTyYCpzS7u34Cwg9lV0a8Ib38Ylvh2bQSCMBHe-9KNFWKsaR9nojh85pMw?testcase_id=5679323442053120


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.