This looks like it could be a scheduling bug.

skyostil: could you please help triage? Thanks!

ClusterFuzz has detected this issue as fixed in range 451446:451454.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5298585563561984

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  base::time_internal::SaturatedAdd
  blink::scheduler::TaskQueueThrottler::MaybeSchedulePumpThrottledTasks
  blink::scheduler::TaskQueueThrottler::OnTimeDomainHasDelayedWork
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Low

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=450670:450691
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=451446:451454

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96-oJSUEa73DjlwC2MKBA7AM1SKCT0kTMEX7vgVnZ34t45sj7fDM0c2mmezr-lZ3uWYsnLfkdLssX9A6YV-fVft2YZ8rnHhpFG6o7jWEqzdAO8GP4mgl7somj-0uvLRvzvARXjZSivifPlWVH-nmI_7r69O0x2mvmtZi0VZ54fTzoVzqSFS8Aap8hZt_l77M-A-bWSBwF09nZF8K-Eu-jSIsUO-EBq_eITe2e3QVqlrQCYi93aMQi_KbjRxYnYtWguMJUVuQv1gwUQRxCvl_JKkOj9_JDTdIh8TKmQsXeO9MwmgYfwVutDFE7D92r9-4egg3BLNnQ49-4dTdGY612PzENeohYzN1Ex5FmeWfGWW8bragE0ZKGokz1S85sDGX3Q6BM3-jxRM44pJP5VzOsP5rcgSlA?testcase_id=5298585563561984


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5298585563561984 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This might be racy -- Alexander do you think there might be a way for us to end up using an unitialized value here? It doesn't seems so based on a quick look.

Looks like these failures correspond with alexclarke@'s iteration of "don't post do works" patch.

TaskQueueThrottler::IncreaseThrottleRefCount looks like it's got a bug, it shouldn't call OnTimeDomainHasDelayedWork if the queue is disabled.  It probably shouldn't call  OnTimeDomainHasImmediateWork either.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/85ed9bafd675dc129eebb238ac3c679d436e5d40

commit 85ed9bafd675dc129eebb238ac3c679d436e5d40
Author: alexclarke <alexclarke@chromium.org>
Date: Wed Feb 22 11:46:17 2017

Fix potential DCHECK in TaskQueueThrottler::IncreaseThrottleRefCount

If TaskQueueThrottler::IncreaseThrottleRefCount was called on a
disabled task queue whose next task was delayed, then a DCHECK in
OnTimeDomainHasDelayedWork could fire.  This patch prevents that from
happening.

This may fix the cluster fuzz warning too.

BUG= 693096 ,  693798 

Review-Url: https://codereview.chromium.org/2708963002
Cr-Commit-Position: refs/heads/master@{#451999}

[modify] https://crrev.com/85ed9bafd675dc129eebb238ac3c679d436e5d40/third_party/WebKit/Source/platform/scheduler/base/task_queue_impl.cc
[modify] https://crrev.com/85ed9bafd675dc129eebb238ac3c679d436e5d40/third_party/WebKit/Source/platform/scheduler/renderer/task_queue_throttler.cc
[modify] https://crrev.com/85ed9bafd675dc129eebb238ac3c679d436e5d40/third_party/WebKit/Source/platform/scheduler/renderer/task_queue_throttler_unittest.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot