Through code search on file values.cc, suspected CL is
https://chromium.googlesource.com/chromium/src/+/182756aeb9ef4240cace58875e71d42a7402711c

The CL linked in #1 is the last one to touch base::Value, but it should be unrelated to this issue. Most likely this is caused by the added fuzzer for SpdySession in r449636. I am not familiar with the networking code, but looking at the stack trace it seems like |net::ElideSpdyHeaderBlockForNetLog| tries to append arbitrary binary data in form of a base::Value string to a list (https://codesearch.chromium.org/chromium/src/net/http/http_log_util.cc?l=98).

String base::Values are not intended to be used like this and had a DCHECK against non UTF-8 input for years (introduced in http://crrev.com/13230).

This DCHECK is triggered here. I see two options how to resolve this:
- Make the fuzzer release mode only by wrapping it in |#if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)| ... |#endif|. This is for example done in |chromeos::NetworkStateTest| (https://codesearch.chromium.org/chromium/src/chromeos/network/network_state_unittest.cc?l=77).

- Use a binary |base::Value| instead of a string |base::Value| in |net::ElideSpdyHeaderBlockForNetLog|. In order to do so, the obtained |std::string| would need to be converted to a |std::vector<char>| and passed to |base::Value|'s constructor (https://codesearch.chromium.org/chromium/src/base/values.h?l=97).

I'm assigning this bug to the author of the fuzzer code and let them decide.

Small correction: The link to the DCHECK CL is https://codereview.chromium.org/13230, not http://crrev.com/13230.

This looks like a dupe of  issue 691243 , but I think that was marked
fixed incorrectly, as it only touched the header part and not the
value part.

Re: suggestions: How would using a binary base::Value affect the display in
net-internals and the like? This thing is basically almost-always text, but could, to best of my understanding of specs, contain stuff that's not utf-8 text in some circumstance.

You should figure out how you want the strings to appear to the user in net-internals, and then format them in valid UTF-8 to encode this. If base::Value can't decode it, Blink won't either so who knows what the user will see.

ClusterFuzz has detected this issue as fixed in range 483696:483832.

Detailed report: https://clusterfuzz.com/testcase?key=6502483032801280

Fuzzer: libFuzzer_net_spdy_session_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IsStringUTF8(*string_value_) in values.cc
  base::Value::Value
  base::Value::Value
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=449627:449661
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=483696:483832

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6502483032801280


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6502483032801280 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.