Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.
Thank You.

According to the stack trace, this is not an HTML issue but in Blink
networking code.

I am attempting to bisect this.

The bisect range found by Clusterfuzz was wrong. I think this is due to the configuration changing in the middle of the range.

I am doing a much larger bisect.

Bisect result makes no sense:

f34f89d41a332a0bb31b34f0e51d9e494b37f912 is the first bad commit
commit f34f89d41a332a0bb31b34f0e51d9e494b37f912
Author: Philip Rogers <pdr@chromium.org>
Date:   Sat Jul 29 00:42:55 2017 +0000

    Remove PropertyTreeState::GetInnermostNode
    
    This code was replaced by a new approach in [1] and is no longer used. The
    README.md has been updated to refer to the new description found in
    ConversionContext::Convert.
    
    [1] https://chromium.googlesource.com/chromium/src/+/f62169afa7f911143f50059c52ac0d9442284e96
    
    Bug:  740678 
    Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
    Change-Id: If26626568df7cb4cf342a55366b8b86d07a794f2
    Reviewed-on: https://chromium-review.googlesource.com/592155
    Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
    Commit-Queue: Philip Rogers <pdr@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#490559}

I think all we can say with confidence is the bug is new in M62.

I'm trying to narrow down the set of options that make this fail. It appears that it needs is_debug = true. dcheck_always_on is not sufficient to trigger the failure.

I haven't managed to reproduce it outside of the renderer_fuzzer binary. It may be a bug in the way that binary is starting up, rather than something that applies to chrome as a whole.

I think there's a race condition. Apparently the calculated size of an <video> element depends on whether we're using cellular data or not. We end up in blink::NetworkStateNotifier::ConnectionType(). This happens after a 0ms delay (ie. the event loop gets to spin after the element is added).

In all reasonable configurations the OnMaxBandwidthChanged message arrives from the browser before that 0ms delay fires. However, when you turn on debugging, address sanitizer and leak detection the browser runs really slowly and the message is reliably late.

I believe the race can only happen inside the renderer_fuzzer binary because normally page data has to come from the network, in which case the OnMaxBandwidthChanged message is guaranteed to arrive first. Here's the stack trace of the failure:

#0  0x00007ffff71c7898 in base::debug::(anonymous namespace)::DebugBreak ()
    at ../../base/debug/debugger_posix.cc:231
#1  0x00007ffff71c7861 in base::debug::BreakDebugger ()
    at ../../base/debug/debugger_posix.cc:258
#2  0x00007ffff7379e31 in logging::LogMessage::~LogMessage (this=0x7fff97069450)
    at ../../base/logging.cc:846
#3  0x00007fffc4cfde53 in blink::NetworkStateNotifier::ConnectionType (
    this=0x611000006a80)
    at ../../third_party/WebKit/Source/platform/network/NetworkStateNotifier.h:132
#4  0x00007fffc6736d2b in blink::NetworkStateNotifier::IsCellularConnectionType (
    this=0x611000006a80)
    at ../../third_party/WebKit/Source/platform/network/NetworkStateNotifier.h:138
#5  0x00007fffc671aa16 in blink::HTMLMediaElement::PreloadType (this=0x7e879e5c3770)
    at ../../third_party/WebKit/Source/core/html/media/HTMLMediaElement.cpp:2231
#6  0x00007fffc670ba57 in blink::HTMLMediaElement::EffectivePreloadType (
    this=0x7e879e5c3770)
    at ../../third_party/WebKit/Source/core/html/media/HTMLMediaElement.cpp:2265
#7  0x00007fffb8e0301a in blink::MediaControlInputElement::ShouldRecordDisplayStates
    (media_element=...)
    at ../../third_party/WebKit/Source/modules/media_controls/elements/MediaControlInputElement.cpp:30
#8  0x00007fffb8d8fd6a in blink::MediaControlsImpl::ComputeWhichControlsFit (
    this=0x7e879e5c3f98)
    at ../../third_party/WebKit/Source/modules/media_controls/MediaControlsImpl.cpp:1276
#9  0x00007fffb8d865e8 in blink::MediaControlsImpl::ElementSizeChangedTimerFired (
    this=0x7e879e5c3f98)
    at ../../third_party/WebKit/Source/modules/media_controls/MediaControlsImpl.cpp:1146
#10 0x00007fffb8dada7a in blink::TaskRunnerTimer<blink::MediaControlsImpl>::Fired (
    this=0x7e879e5c4258) at ../../third_party/WebKit/Source/platform/Timer.h:151

Impact of the bug appears extremely small. Even if the race can happen during normal browser execution, the sole consequence is that it will incorrectly conclude that it is not on cellular data.

It would be good to fix the initialisation order so that the logical constraints are not violated, even inside renderer_fuzzer.

+aizatsky for insight on renderer_fuzzer initialisation.

For more information, please see https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md.

The link referenced in the description is no longer valid.

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/7dc115f5f84ce2ea43c8c7b0f26e3b896dc19582 (bindings: Generate Chromium-style code for union types. by tkent@chromium.org)https://chromium.googlesource.com/chromium/src/+/6541835c4e9db26be7685581b1f263cf9a3f17c0 ([LayoutNG] Add LayoutNGListItem for 'display: list-item' by kojii@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/7dc115f5f84ce2ea43c8c7b0f26e3b896dc19582 (bindings: Generate Chromium-style code for union types. by tkent@chromium.org)https://chromium.googlesource.com/chromium/src/+/6541835c4e9db26be7685581b1f263cf9a3f17c0 ([LayoutNG] Add LayoutNGListItem for 'display: list-item' by kojii@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/7dc115f5f84ce2ea43c8c7b0f26e3b896dc19582 (bindings: Generate Chromium-style code for union types. by tkent@chromium.org)https://chromium.googlesource.com/chromium/src/+/6541835c4e9db26be7685581b1f263cf9a3f17c0 ([LayoutNG] Add LayoutNGListItem for 'display: list-item' by kojii@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/7dc115f5f84ce2ea43c8c7b0f26e3b896dc19582 (bindings: Generate Chromium-style code for union types. by tkent@chromium.org)https://chromium.googlesource.com/chromium/src/+/6541835c4e9db26be7685581b1f263cf9a3f17c0 ([LayoutNG] Add LayoutNGListItem for 'display: list-item' by kojii@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/7dc115f5f84ce2ea43c8c7b0f26e3b896dc19582 (bindings: Generate Chromium-style code for union types. by tkent@chromium.org)https://chromium.googlesource.com/chromium/src/+/6541835c4e9db26be7685581b1f263cf9a3f17c0 ([LayoutNG] Add LayoutNGListItem for 'display: list-item' by kojii@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/7dc115f5f84ce2ea43c8c7b0f26e3b896dc19582 (bindings: Generate Chromium-style code for union types. by tkent@chromium.org)https://chromium.googlesource.com/chromium/src/+/6541835c4e9db26be7685581b1f263cf9a3f17c0 ([LayoutNG] Add LayoutNGListItem for 'display: list-item' by kojii@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Automatically adding ccs based on suspected regression changelists:

https://chromium.googlesource.com/chromium/src/+/7dc115f5f84ce2ea43c8c7b0f26e3b896dc19582 (bindings: Generate Chromium-style code for union types. by tkent@chromium.org)https://chromium.googlesource.com/chromium/src/+/6541835c4e9db26be7685581b1f263cf9a3f17c0 ([LayoutNG] Add LayoutNGListItem for 'display: list-item' by kojii@chromium.org)
If this is incorrect, please apply the Test-Predator-Wrong-CLs label.

Please ignore the Test-Predator-Auto-CC comment spam above, there was a bug in our script that caused it to create same comment multiple times and also didn't add ccs properly. 

ClusterFuzz has detected this issue as fixed in range 522620:522667.

Detailed report: https://clusterfuzz.com/testcase?key=4561089533837312

Fuzzer: libFuzzer_renderer_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  state.connection_initialized in NetworkStateNotifier.h
  blink::NetworkStateNotifier::ConnectionType
  blink::NetworkStateNotifier::IsCellularConnectionType
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=504891:504928
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=522620:522667

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4561089533837312

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4561089533837312 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 795279  has been merged into this issue.

 Issue 769775  has been merged into this issue.

 Issue 832154  has been merged into this issue.