Predator and CL could not provide any possible suspects.

Using the code search for the file, “test_runner_support.cc” assigning to concern owner.

Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/6b4a012891b2b9ab32b2c12fe196d8c79cae0001

lukasza@-- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.


Thank You...

Testcase 5441303814078464 is a top crash on ClusterFuzz for linux platform. Please prioritize fixing this crash.

Marking this crash as a Beta release blocker.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

In the repro case found by clusterfuzz, the WebFrameClient::DidReceiveTitle callback happens while RenderViewImpl::Initialize is creating the frame (1).  This happens before RenderViewImpl::Initialize is done and can notify the test_runner layer about the new view and frame via LayoutTestContentRendererClient::RenderViewCreated (2).  I think the only recourse is to add ad-hoc null checks in WebTestFrameClient::DidReceiveTitle.

Oh, I meant to note down some callstacks in the previous comment:

(1)
#2 test_runner::WebFrameTestClient::DidReceiveTitle()
#3 test_runner::WebFrameTestProxy<>::DidReceiveTitle()
#4 blink::LocalFrameClientImpl::DispatchDidReceiveTitle()
#5 blink::Document::DispatchDidReceiveTitle()
#6 blink::Document::FinishedParsing()
#7 blink::HTMLConstructionSite::FinishedParsing()
#8 blink::HTMLTreeBuilder::Finished()
#9 blink::HTMLDocumentParser::end()
#10 blink::HTMLDocumentParser::AttemptToRunDeferredScriptsAndEnd()
#11 blink::HTMLDocumentParser::PrepareToStopParsing()
#12 blink::HTMLDocumentParser::AttemptToEnd()
#13 blink::HTMLDocumentParser::Finish()
#14 blink::DocumentLoader::FinishedLoading()
#15 blink::DocumentLoader::MaybeLoadEmpty()
#16 blink::DocumentLoader::StartLoading()
#17 blink::FrameLoader::Init()
#18 blink::LocalFrame::Init()
#19 blink::WebLocalFrameImpl::InitializeCoreFrame()
#20 blink::WebLocalFrameImpl::CreateMainFrame()
#21 blink::WebLocalFrame::CreateMainFrame()
#22 content::RenderFrameImpl::CreateMainFrame()
#23 content::RenderViewImpl::Initialize()
#24 content::RenderViewImpl::Create()
#25 content::RenderViewImpl::CreateView()
...
#28 blink::ChromeClientImpl::CreateWindow()
#29 blink::CreateNewWindow()
#30 blink::CreateWindowHelper()
#31 blink::CreateWindow()
#32 blink::LocalDOMWindow::open()
...


(2)
#2 content::contentLayoutTestContentRendererClient::RenderViewCreated()
#3 content::RenderViewImpl::Initialize()
#4 content::RenderViewImpl::Create()
#5 content::RenderViewImpl::CreateView()
...
#8 blink::ChromeClientImpl::CreateWindow()
#9 blink::CreateNewWindow()
#10 blink::CreateWindowHelper()
#11 blink::CreateWindow()
#12 blink::LocalDOMWindow::open()

This is a test-only issue - removing the RBB label.

I have a WIP CL @ https://crrev.com/c/791535

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/39a10dcbd2aec4c052557005d23c44d8b079ef72

commit 39a10dcbd2aec4c052557005d23c44d8b079ef72
Author: Lukasz Anforowicz <lukasza@chromium.org>
Date: Wed Nov 29 00:20:23 2017

Skip parts of WebFrameTestClient::DidReceiveTitle if called too early.

Bug:  786692 
Change-Id: I5e5d2aaef1b6e9abfc20a752df67a8eedb8a5c07
Reviewed-on: https://chromium-review.googlesource.com/791535
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/master@{#519923}
[modify] https://crrev.com/39a10dcbd2aec4c052557005d23c44d8b079ef72/content/shell/test_runner/web_frame_test_client.cc

ClusterFuzz has detected this issue as fixed in range 519922:519923.

Detailed report: https://clusterfuzz.com/testcase?key=5441303814078464

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000080
Crash State:
  content::GetFrameNameForLayoutTests
  test_runner::PrintFrameDescription
  test_runner::WebFrameTestClient::DidReceiveTitle
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=514498:517698
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=519922:519923

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5441303814078464

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5441303814078464 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.