Suspected CL from regression range
https://chromium.googlesource.com/chromium/src/+/b9905150f10743251466b608024ca2081f070498

hmm, the issue is that to maintain the old behavior, the code needed to get the RFH for comparison even if a commit didn't happen. but the code checks that NavigationHandle::GetRenderFrameHost is only committed past WILL_PROCESS_RESPONSE and the calling code doesn't have access to that.

since this code is in content, perhaps it can cast to NavigationHandleImpl to use frame_tree_node()->render_manager()->current_frame_host() instead?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9b5ea61b97315d1d028f440d6dc7defed009cf66

commit 9b5ea61b97315d1d028f440d6dc7defed009cf66
Author: mharanczyk <mharanczyk@opera.com>
Date: Mon Mar 06 11:15:19 2017

Avoid fetching RFH from nav handle for not committed navigations.

For devtool use case there is only a need to check if hosts match,
so compareing frame tree node id instead of raw pointers will give
same result.

BUG= 697991 

Review-Url: https://codereview.chromium.org/2730873002
Cr-Commit-Position: refs/heads/master@{#454849}

[modify] https://crrev.com/9b5ea61b97315d1d028f440d6dc7defed009cf66/content/browser/devtools/render_frame_devtools_agent_host.cc

ClusterFuzz has detected this issue as fixed in range 454847:454855.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5356364936511488

Fuzzer: inferno_flicker
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  state_ >= WILL_PROCESS_RESPONSEaccessor should only be called after a response h
  content::NavigationHandleImpl::GetRenderFrameHost
  content::RenderFrameDevToolsAgentHost::DidFinishNavigation
  
Sanitizer: thread (TSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=454203:454233
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=454847:454855

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95UY32hEYvA-V1ojvioSMbL484SGHep7c5jeZ7ZYTs_tFaO63PwQGMIf5YRkF0TiY_Yg7melczorAB-mFiJ986BejRHffVp0Zqh884zcmNMpL_FdhenbjQvztEaLwHBywY345C9vVBdLBP323JRhMXsyKQf87OjJA2T-HFtwn4cn__wGqtujnAoo1Hcxe_Pt5bYp_SvO9XWyyEsJ8JgVIioX9CPHG6Z5KJtNdNDExJVMeseed5aJokuLE0JvjawwGS1Z-JpJf6pWLfQLitPPbyEPJwnRhTIpxQ5q4GG1VHC7SRpMduFnxSwv8TfIcaLLvR58ApVSDq6HK5etiyRkeZBxCMWEmC2jQgucUvuXjgDJRAfqv4?testcase_id=5356364936511488


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Issue 698225 has been merged into this issue.

mharanczyk@: Could you please get the CL from C#6 merged to M-58(3029 branch) as well.

ajha@: I am not familiar with that process, as a non-committer what am I suppose to do exactly to get that change onto stabilization branch? Is fetching that release branch, cherry-picking CL onto it and pushing it directly to repo acceptable? Or do you have another commit queue for stabilization branches I could use?

Users experienced this crash on the following builds:

Win Canary 59.0.3032.0 -  3.09 CPM, 51 reports, 50 clients (signature content::NavigationHandleImpl::GetRenderFrameHost)
Mac Canary 59.0.3032.0 -  17.98 CPM, 78 reports, 75 clients (signature content::NavigationHandleImpl::GetRenderFrameHost)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This crash has high impact on Chrome's stability.
Signature: content::NavigationHandleImpl::GetRenderFrameHost.
Channel: canary. Platform: mac.
Labeling  issue 697991  with ReleaseBlock-Dev.


If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

Looping to stability sheriff for merging the CL in #6. Please request a merge if needed.

I'll take care of the merge.

Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), bhthompson@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c1080fb57cbca2367d947ce94b4eddba499c98a1

commit c1080fb57cbca2367d947ce94b4eddba499c98a1
Author: lfg <lfg@chromium.org>
Date: Tue Mar 07 20:05:30 2017

Avoid fetching RFH from nav handle for not committed navigations.

For devtool use case there is only a need to check if hosts match,
so compareing frame tree node id instead of raw pointers will give
same result.

BUG= 697991 

Review-Url: https://codereview.chromium.org/2730873002
Cr-Commit-Position: refs/heads/master@{#454849}
(cherry picked from commit 9b5ea61b97315d1d028f440d6dc7defed009cf66)

TBR=jam@chromium.org,dgozman@chromium.org,mharanczyk@opera.com
NOTRY=true
NOPRESUBMIT=true

Review-Url: https://codereview.chromium.org/2740473003
Cr-Commit-Position: refs/branch-heads/3029@{#50}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[modify] https://crrev.com/c1080fb57cbca2367d947ce94b4eddba499c98a1/content/browser/devtools/render_frame_devtools_agent_host.cc