Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: hongchan
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1492075fce7add79a11e13a3c40d55261f4ae89d
Time: Fri Apr 28 01:53:13 2017
Lines 162-170 of file AudioDestination.cpp which potentially caused crash are changed in this cl (frame #3, "blink::AudioDestination::RequestRenderOnWebThread").
Minimum distance from crash line to modified line: 0. (file: AudioDestination.cpp, crashed on: 162, modified: 162).

@hongchan -- Could you please look into the issue, kindly re-assign if this is related to your changes.
Thank You.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d94da1744907ed1bb90e37756806841609b0cc52

commit d94da1744907ed1bb90e37756806841609b0cc52
Author: hongchan <hongchan@chromium.org>
Date: Tue May 02 18:55:46 2017

Improve thread creation in plaform/audio/AudioDestination

After the introduction of the new rendering thread for WebAudio in
AudioDestination, two racy situnations were observed by ClusterFuzz.

These race conditions become critical especially when the AudioContext
is in the tear-down stage; when the main thread is dumping its member
variables, the rendering thread is still trying to access them.

This CL moves the thread creation logic into Start() and Stop() methods
in AudioDestination. By doing so, the thread is always be in sync with
the associated audio device and the thread can be safely deleted when
the AudioContext goes away.

BUG= 716358 ,  716945 
TEST=(The local TSAN/ASAN passed the repro test cases.)

Review-Url: https://codereview.chromium.org/2853923002
Cr-Commit-Position: refs/heads/master@{#468726}

[modify] https://crrev.com/d94da1744907ed1bb90e37756806841609b0cc52/third_party/WebKit/Source/platform/audio/AudioDestination.cpp
[modify] https://crrev.com/d94da1744907ed1bb90e37756806841609b0cc52/third_party/WebKit/Source/platform/audio/AudioDestination.h

ClusterFuzz has detected this issue as fixed in range 468701:468753.

Detailed report: https://clusterfuzz.com/testcase?key=5775065234014208

Fuzzer: phoglund_webrtc_peerconnection
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race WRITE 1
Crash Address: 0x7b3000000fcc
Crash State:
  blink::AudioHandler::Uninitialize
  blink::DefaultAudioDestinationHandler::Uninitialize
  blink::BaseAudioContext::Uninitialize
  
Sanitizer: thread (TSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=467817:467819
Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=468701:468753

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5775065234014208


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Per #5, ClusterFuzz verified the fix.