Predator and CL did not provide any possible suspects.
Using Code Search for the file, "guest_view_manager.cc" assigning to the concern owner who might be related.

@thestig -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

I'm not the owner for guest_view_manager.cc.

 Issue 751836  has been merged into this issue.

 Issue 751794  has been merged into this issue.

 Issue 751778  has been merged into this issue.

I just looked into this, this is not an issue. The IPC sent contains a string, and the CHECK that the browser process is hitting already enforces the validity of the message.

This issue is probably due to https://chromium.googlesource.com/chromium/src/+/4ec751610d0f687db6fff1046ae7b799466a9354.

tsepez@, is there anything we need to do on the clusterfuzz side to mark this as not being a problem? The fuzzer can keep creating new crashes by changing the string being passed.

Given that the view_type string comes from a renderer, should we really be crashing the browser if it's invalid? Wouldn't it be better to just drop the message as is done here
https://cs.chromium.org/chromium/src/components/guest_view/browser/guest_view_manager.cc?rcl=b85c8ec80f2137eed964d998d725db4ea8b72391&l=370
or kill the renderer instead as is done here
https://cs.chromium.org/chromium/src/components/guest_view/browser/guest_view_manager.cc?rcl=b85c8ec80f2137eed964d998d725db4ea8b72391&l=425 ?

I don't think we want to just drop the message -- at this point the renderer is guaranteed to be compromised.

Killing the renderer is reasonable. If we go that route, we should use ReceivedBadMessage() in https://cs.chromium.org/chromium/src/content/browser/bad_message.h?l=213.

I'll mark the bug as available and decrease priority.

Adding kenrb to get your take on this. Does killing the renderer sound good?

components/guest_view/browser/ doesn't have bad_message.h yet. I'll need to add that.

 Issue 752804  has been merged into this issue.

Can you please remove the bad type name from check failure message. That blocks us from reenabling the fuzzer.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/36cc7b8f04a674c4ecfaa587477d73bd78531abb

commit 36cc7b8f04a674c4ecfaa587477d73bd78531abb
Author: Kevin McNee <mcnee@chromium.org>
Date: Mon Aug 14 16:27:21 2017

Kill a renderer if it creates a GuestView of a nonsense type.

A renderer sends a GuestViewHostMsg_ViewCreated message to the browser
upon creation of a GuestView and specifies the GuestView type as a
string. A misbehaving renderer can send a nonsense GuestView type
causing the browser to crash when it CHECKs that the type is valid.

We now kill the renderer for sending the bad message instead of
crashing the browser.

Bug:  751376 
Change-Id: I7527bb4f47119e689a10f8ad40aa90f2d0778575
Reviewed-on: https://chromium-review.googlesource.com/612159
Reviewed-by: Lucas Gadani <lfg@chromium.org>
Commit-Queue: Kevin McNee <mcnee@chromium.org>
Cr-Commit-Position: refs/heads/master@{#494068}
[modify] https://crrev.com/36cc7b8f04a674c4ecfaa587477d73bd78531abb/components/guest_view/browser/bad_message.h
[modify] https://crrev.com/36cc7b8f04a674c4ecfaa587477d73bd78531abb/components/guest_view/browser/guest_view_manager.cc
[modify] https://crrev.com/36cc7b8f04a674c4ecfaa587477d73bd78531abb/tools/metrics/histograms/enums.xml

ClusterFuzz testcase 4595343512829952 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.