Author: Nate Chapin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/6e8ee4652a28c58f0f9f6e8bc9f336eca6207056
Time: Wed Sep 06 16:39:07 2017
The CL last changed line 53 of file TaskRunnerHelper.cpp, which is stack frame 1.

@japhet  -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thank You.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5232191c7f28c18cfb16bd05026aad7204ddf42a

commit 5232191c7f28c18cfb16bd05026aad7204ddf42a
Author: Nate Chapin <japhet@chromium.org>
Date: Thu Sep 14 20:40:49 2017

Take a LocalDOMWindow instead of a LocalFrame in Performance::Create

it's logically associated with a window rather than a frame, and this
enables graceful handling of a detached window. Performance uses
TaskRunnerHelper to look up a task runner in its constructor, and
TaskRunnerHelper is not resilient to doing that lookup for a null
LocalFrame.

BUG= 763685 
Test=fast/performance/detached-event-timestamp.html

Change-Id: I8e850fe55e7554c3992ba1ec449c6cf7e2b1057b
Reviewed-on: https://chromium-review.googlesource.com/666001
Commit-Queue: Nate Chapin <japhet@chromium.org>
Reviewed-by: Shubhie Panicker <panicker@chromium.org>
Cr-Commit-Position: refs/heads/master@{#502035}
[add] https://crrev.com/5232191c7f28c18cfb16bd05026aad7204ddf42a/third_party/WebKit/LayoutTests/fast/performance/detached-event-timestamp-expected.txt
[add] https://crrev.com/5232191c7f28c18cfb16bd05026aad7204ddf42a/third_party/WebKit/LayoutTests/fast/performance/detached-event-timestamp.html
[modify] https://crrev.com/5232191c7f28c18cfb16bd05026aad7204ddf42a/third_party/WebKit/Source/core/clipboard/DataTransferTest.cpp
[modify] https://crrev.com/5232191c7f28c18cfb16bd05026aad7204ddf42a/third_party/WebKit/Source/core/page/DragControllerTest.cpp
[modify] https://crrev.com/5232191c7f28c18cfb16bd05026aad7204ddf42a/third_party/WebKit/Source/core/timing/DOMWindowPerformance.cpp
[modify] https://crrev.com/5232191c7f28c18cfb16bd05026aad7204ddf42a/third_party/WebKit/Source/core/timing/Performance.cpp
[modify] https://crrev.com/5232191c7f28c18cfb16bd05026aad7204ddf42a/third_party/WebKit/Source/core/timing/Performance.h
[modify] https://crrev.com/5232191c7f28c18cfb16bd05026aad7204ddf42a/third_party/WebKit/Source/core/timing/PerformanceTest.cpp

ClusterFuzz has detected this issue as fixed in range 501992:502036.

Detailed report: https://clusterfuzz.com/testcase?key=5767999687753728

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000050
Crash State:
  blink::FileWriter::GetExecutionContext
  blink::TaskRunnerHelper::Get
  blink::Performance::Performance
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=499978:500007
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=501992:502036

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5767999687753728

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5767999687753728 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.