Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: jiameng
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d518643748bffd4d67c504a5181489ab75b89a1d
Time: Wed Feb 08 01:48:22 2017
Lines 335 of file blink_test_runner.cc which potentially caused crash are changed in this cl (frame #1, "content::BlinkTestRunner::GetAbsoluteWebStringFromUTF8Path").
Minimum distance from crash line to modified line: 0. (file: blink_test_runner.cc, crashed on: 335, modified: 335).

@jiameng -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Hello,

Someone raised a very similar issue (https://bugs.chromium.org/p/chromium/issues/detail?id=713185#c4), but it was subsequently closed. Are these two related?

Thanks.

As the other issue (https://bugs.chromium.org/p/chromium/issues/detail?id=713185#c4) was fixed/closed, would you please let me know if this issue is also fixed? Please let me know the problem persists.

Thanks.

jiameng@, i think the problem is still exists. I did a 'REDO TASK', however the CF test case is saying it's not yet fixed.

Can you please look into it?

Thank you!

The error message appears to say the mac-specific CFPasteboardRef didn't exist. Since it only occurred on a mac, I'll need a mac machine to reproduce the error. Meanwhile, is there any chance that this CFPasteboardRef was not properly initialized (or deleted) somewhere else?
Thanks.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d916411aa57de16c95e693cf9dd33d7e3bf65ee

commit 4d916411aa57de16c95e693cf9dd33d7e3bf65ee
Author: jiameng <jiameng@chromium.org>
Date: Thu May 11 10:56:14 2017

Initialize test configuration to a default value.

BlinkTestRunner::OnSetTestConfiguration should be
called to init test_config_ before any method using
test_config_ is run. However, this is not always
enforced by the test runner/controller as discovered
by clusterfuzz (see bug below). Hence this cl
initializes test_config_ to a default value to ensure
it is never a null ptr.

BUG= 714028 

Review-Url: https://codereview.chromium.org/2869333002
Cr-Commit-Position: refs/heads/master@{#470913}

[modify] https://crrev.com/4d916411aa57de16c95e693cf9dd33d7e3bf65ee/content/shell/common/layout_test.mojom
[modify] https://crrev.com/4d916411aa57de16c95e693cf9dd33d7e3bf65ee/content/shell/renderer/layout_test/blink_test_runner.cc

The crash occurred because the test controller did not call a method to properly initialize an object before using it. I've submitted a cl to default initialize the object in case the init method isn't called. My local test run shows the clusterfuzz issue is resolved. Hence I'm closing the ticket now.
Thanks.

ClusterFuzz has detected this issue as fixed in range 470896:470927.

Detailed report: https://clusterfuzz.com/testcase?key=5160260462706688

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  /usr/lib/libc++.1.dylib:x86_64
  /usr/lib/libc++.1.dylib:x86_64
  base::FilePath::Append
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=448729:448967
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=470896:470927

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5160260462706688


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.