Findit cannot find any culprit results.

assigning to /src/chrome/browser/ui/views/location_bar/OWNERS, requesting to check the issue and help.

If I'm reading this stack right, the crash is an attempt to deref a null active WebContents, when bookmarking a page by hitting space on the star.

The stack looks elided; I think it's omitting traversal through BrowserCommandController::ExecuteCommandWithDisposition(), which early-returns if (browser_->tab_strip_model()->active_index() == TabStripModel::kNoTab).

This would mean the tab strip model has an active tab, but browser->tab_strip_model()->GetActiveWebContents() is null.  That seems scary; I would hope there's no window of time where those are out of sync.

Reassigning to sky who knows the tab strip model better than me to confirm whether this is possible during shutdown or something.  I think if it is, and we make these be in sync, we fix this.  Otherwise, we could bandaid, but it seems wrong.

More specifically I think the index of the active tab is out of sync with the model. There are some weird cases where this can happen (mostly reentrancy). I don't directly see that in the stack here, but it could be the fuzzer is doing something that triggers the reentrancy earlier on we're seeing the crash after the fact.

The only thing I can think of is to add some CHECKs to isolate when this is happening.

ClusterFuzz has detected this issue as fixed in range 448982:449020.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6365606770376704

Fuzzer: cdiehl_dharma
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  chrome::GetURLAndTitleToBookmark
  chrome::BookmarkCurrentPageIgnoringExtensionOverrides
  BubbleIconView::OnKeyReleased
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=400445:400609
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=448982:449020

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv979Xf2umAkNsTnBm3gED7h21VkJNuaoxzeyZIM3qvm5FWOAHSLpayeQ8sgWtkc0wngrCgT-jS-zPMZz4jjtSJ1b5yBtssetVf6jEfJPkZA9ju2x4AyGLQ0Hk7FLiKp_qcr3EKWExxDZ6PS8s6rSqN4Y-FcZIKapoVds9ISX06q7LcmOvCGgVwjgXFrkuvykyTXcd2y9vvJgcPSsRKFny2wnTwH89Em3425u2Ab8jFvdzCjitcV2AYt09OMzLCenQbGW210yJIcaL0IFBoD7aC32_ipOUm3XcZjWUrrt31pG1yuNXYsIKdS54nOeYFO2B_UcBCmsSyEnQ6oPGAbaqsEdeYD29noHV8sJnb6w2xKrKCFbY5GrZ3mC0ur-sMsj4MnYN7y_oNxe9Yf9N6HXXs69k6fxFw?testcase_id=6365606770376704


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6365606770376704 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

There are a couple of quite old cluster fuzz resports (540612). So, this isn't fixed.

 Issue 690398  has been merged into this issue.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.