Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/8aa773b497e8ad75468e8fa0c0cd2ac6687a255a (MSE: Vary ChunkDemuxer{Stream} of ByDts/ByPts based on media::kMseBufferByPts).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Interesting - it looks like removing the source buffer while asynch append is processing may result in bad things at least if SourceBufferState::OnNewConfigs() occurs.

Further investigation required...

=> servolk@ -- It looks like the SourceBuffer->RemovedFromMediaSource()'s call to RemoveMediaTracks() causes a later change to track enabled state to reference a stream that's already been removed.

Can you take a look (if not soon, please assign back to me).  Thanks!

servolk@, friendly ping

cc+=chcunningham@ (see also broader https://bugs.chromium.org/p/chromium/issues/detail?id=782934)

Sorry for the delay!
So looking at the crash report I'm a little confused: is it a crash due to null-defer or is it actually a deadlock?
I've noticed this message in the crash report page:
2017-11-08 00:41:46.474 Content Shell[33493:94106327] CFPasteboardRef CFPasteboardCreate(CFAllocatorRef, CFStringRef) : Lock timeout

So perhaps the crash/null-deref was triggered intentionally after lock timeout?

Is there a way to repro this? I've downloaded the clusterfuzz-testcase-minimized-5412733934895104.zip, and tried to run it as a blink layout test. The test failed, but there was no crash. Do I need to use some special command-line params to repro the crash?

Here is what I got after launching the test case:

Using port 'linux-trusty'
Test configuration: <trusty, x86_64, debug>
View the test results at file:///usr/local/google/home/servolk/chromium/src/out/Debug/layout-test-results/results.html
Using random order with seed: 1510182439
Baseline search path: linux -> win -> generic
Using Debug build
Pixel tests enabled
Regular timeout: 18000, slow test timeout: 90000
Command line: /usr/local/google/home/servolk/chromium/src/out/Debug/content_shell --run-layout-test --ignore-certificate-errors-spki-list=Nxvaj3+bY3oVrTc+Jp7m3E3sB1n3lXtnMDCyBsqEXiY= --user-data-dir --enable-crash-reporter --crash-dumps-dir=/usr/local/google/home/servolk/chromium/src/out/Debug/crash-dumps -

Found 1 test; running 1, skipping 0.
Running 1 content_shell.                                                                   

[1/1] imported/w3c/web-platform-tests/media-source/fuzz-http-4.html failed unexpectedly (-expected.txt was missing, -expected.png was missing)
                              
0 tests ran as expected, 1 didn't:

[104349:104391:1108/150728.033697:ERROR:browser_gpu_channel_host_factory.cc(108)] Failed to launch GPU process.
Created new window in existing browser session.

The NextAction date has arrived: 2017-11-10

 Issue 784079  has been merged into this issue.

@#10 to repro it looks like you'll need an ASAN instrumented content shell.

From call stack it looks like this is indeed the same crash as  crbug.com/784079 . But I haven't been able to repro it so far after 29 attempts on my Linux workstation using the clusterfuzz repro tool. I did 3 + 3 runs with default settings, then 3 more runs with --disable-xvfb and 10 + 10 runs with -i 10 and default settings, but haven't seen a single crash (attaching the test log of the last 10 runs).
I'm also a bit confused at the call stacks we see for these crashes. As far as I can tell from looking at the code the ChunkDemuxer::OnEnabledAudioTracksChanged must be invoked directly from PipelineImpl::RendererWrapper::OnEnabledAudioTracksChanged and not via PostTask. So I'm a bit lost atm how this could happen.

Deleted: test-fuzz-norepro.log 165 KB

test-fuzz-norepro.log 165 KB View Download

ClusterFuzz has detected this issue as fixed in range 525192:525236.

Detailed report: https://clusterfuzz.com/testcase?key=5412733934895104

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000040
Crash State:
  _pthread_key_global_init
  media::ChunkDemuxerStream::SetEnabled
  media::ChunkDemuxer::OnEnabledAudioTracksChanged
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=503469:503500
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=525192:525236

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5412733934895104

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5412733934895104 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.