Predator and CL did not provide any possible suspects.
Using Code Search for the file, "rounded_image_view.cc" assigning to the related owner.

@James cook -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

xiyuan, do you have time to look at this? Maybe session controller doesn't have an active user yet?

I also wonder if this could be another of the "clusterfuzz injects events too early" problems ( issue 717559 ). If so, a band-aid fix would be fine. I'm going to start looking into that issue in parallel.

The crash is because of mixed sync/async timing issue. SystemTrayDelegate::GetLoginStatus for cash is a sync call to get chrome side session state. But UserCardView gets its data from SessionController via mojo and is not updated yet. Cleaning up SystemTrayDelegate::GetLoginStatus reference would fix the crash.

However, we might end up with wrong UI because of the async update. That is, if a user is fast enough to bring up system tray after login, we might show an NOT_LOGGED_IN version of system tray bubble.

I think it's OK if the wrong UI could show up. With mustash the world is fundamentally asynchronous. As long as we can still run automated tests quickly, and clusterfuzz is happy, I'm OK with everything being async and potentially a little stale. WDYT?

Yep, agreed.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6779a04e21ebe7424ed2edae270f3303894104dc

commit 6779a04e21ebe7424ed2edae270f3303894104dc
Author: xiyuan <xiyuan@chromium.org>
Date: Fri May 05 21:27:55 2017

cros: Merge SystemTrayDelegate::GetUserLoginStatus

Merge SystemTrayDelegate::GetUserLoginStatus into
SessionController::login_status to avoid inconsistent
states in ash code.

BUG= 718385 

Review-Url: https://codereview.chromium.org/2864663002
Cr-Commit-Position: refs/heads/master@{#469771}

[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/mus/system_tray_delegate_mus.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/mus/system_tray_delegate_mus.h
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/root_window_controller_unittest.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/session/session_controller.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/session/session_controller.h
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/shelf/wm_shelf.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/system/overview/overview_button_tray.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/system/palette/palette_tray.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/system/session/logout_confirmation_controller.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/system/status_area_widget.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/system/tray/system_tray.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/system/tray/system_tray_bubble.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/system/tray/system_tray_delegate.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/system/tray/system_tray_delegate.h
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/system/tray_accessibility.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/test/status_area_widget_test_helper.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/test/test_system_tray_delegate.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/test/test_system_tray_delegate.h
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/wm/maximize_mode/maximize_mode_event_handler.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/ash/wm/overview/window_selector_controller.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/chrome/browser/ui/ash/system_tray_delegate_chromeos.cc
[modify] https://crrev.com/6779a04e21ebe7424ed2edae270f3303894104dc/chrome/browser/ui/ash/system_tray_delegate_chromeos.h

ClusterFuzz has detected this issue as fixed in range 469742:469772.

Detailed report: https://clusterfuzz.com/testcase?key=5448427340300288

Fuzzer: cdiehl_peach
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000030
Crash State:
  gfx::ImageSkiaOperations::CreateResizedImage
  ash::tray::RoundedImageView::SetImage
  ash::tray::CreateUserAvatarView
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=468411:468487
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=469742:469772

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5448427340300288


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5448427340300288 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.