Predator and CL could not provide any possible suspects.
Using Code Search for the file, "impl.cc" assigning to the concern owner who might be related.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/18235e2e87fdbddd735342cdfbcba7df1940b144

@chrishtr -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

I don't think it was my patch. Suspecting this one:
https://chromium.googlesource.com/chromium/src/+/7add13b6fbbc1420658f5f5e67841c80d35d4c34

My CL is just refactoring.

Using Code Search for the file, "ipc_message_templates.h" assigning to the concern owner who might be related or worked on similar file.

@tzik -- Could you please look into the issue, kindly re-assign if this is not related to your changes.


Thank You.

Unrelated to ipc_message_templates.h. It's just due to a missing null check on an uncoupled message from a compromised renderer.
A null check for |text_surrounding_selection_callback_| there looks enough.

Test Predator has given the following results:

Network traffic annotation added to render_frame_message_filter. by rhalavati@chromium.org
Changed files render_frame_message_filter.cc, with the same CrashedDirectory(content/browser/frame_host) as render_frame_host_impl.cc (in frame#1, frame#6)
Changed files render_frame_message_filter.cc, with the same CrashedComponent(Internals>Sandbox>SiteIsolation) as render_frame_host_impl.cc (in frame#1, frame#6)

@rhalavati -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thank You.

Hi,

I couldn't relate the bug to my CL. The new variable defined in the CL is inherently of type int, and is computes as constexpr. Therefore the effect on the code would be just replacing one integer value with another integer.

It seems that this message (FrameHostMsg_TextSurroundingSelectionResponse) is created only in "render_frame_impl.cc" and used in "render_frame_host_impl.cc" and both seem quite good. From the error message I understand that the string argument of the message is not correctly deserialized, and I think the error had to be caught in mojo deserializer.

@tsepez, could you please kindly take a look as an ipc owner?

What's likely happening here is the fuzzer is sending you an unexpected response to a message the Host never actually sent, as could a compromised renderer.  These kinds of "continuations" are tricky; here its just a null dereference, but sometimes these call into unitinialized state on and wreak havoc.   

All that has to happen is the browser should defend against out-of-order messages by checking that the callback is not null before firing.

Probably not a regression since CF is sometimes confused.
  

|text_surrounding_selection_callback_|  is what I'm referring to in C9.

Thanks tsepez.

@avi,

It seems that argument check and error handling should be added to OnTextSurroundingSelectionResponse in content/browser/frame_host/render_frame_host_impl.cc.
I am not familiar with the code, could you please assign it to someone appropriate?

Thanks.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f536a38d6a7f80117482955486f89b9d4ee4601d

commit f536a38d6a7f80117482955486f89b9d4ee4601d
Author: Avi Drissman <avi@chromium.org>
Date: Tue Sep 26 21:08:14 2017

Don't crash in the case of an unexpected IPC response.

BUG= 746967 

Cq-Include-Trybots: master.tryserver.chromium.linux:linux_site_isolation
Change-Id: Id9106a040641386eea32988ce44cd2324e36798b
Reviewed-on: https://chromium-review.googlesource.com/684657
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Avi Drissman <avi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504482}
[modify] https://crrev.com/f536a38d6a7f80117482955486f89b9d4ee4601d/content/browser/frame_host/render_frame_host_impl.cc

ClusterFuzz has detected this issue as fixed in range 504470:504505.

Detailed report: https://clusterfuzz.com/testcase?key=4527552034242560

Fuzzer: ipc_fuzzer_gen
Job Type: linux_asan_chrome_ipc
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  content::RenderFrameHostImpl::OnTextSurroundingSelectionResponse
  bool IPC::MessageT<FrameHostMsg_TextSurroundingSelectionResponse_Meta, std::__1:
  content::RenderFrameHostImpl::OnMessageReceived
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=488146:488166
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_ipc&range=504470:504505

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4527552034242560

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4527552034242560 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.