This is failing for L, M, and N

Asking for a CL bisect. aluo@, could you take a look or help assign this?

Will check to see if I can repro this locally first.

culprit cl: https://chromium-review.googlesource.com/852094

Still failing as of:
https://luci-milo.appspot.com/buildbot/chromium.android/Android%20WebView%20L%20%28dbg%29/14373

Revert was abandoned with reason "fix landed":
https://chromium-review.googlesource.com/c/chromium/src/+/990314

What was this fix? When was it landed?

The patch was on the verge to be reverted in this issue:
https://bugs.chromium.org/p/chromium/issues/detail?id=828062
which is different from this one.

I will revert the patch and try to quickly find a solution for this one.

One question, is there a way to run only this test?
I found I can use: "./android_webview/tools/run_cts.py --platform L" to run all the tests.

I can reproduce the issue. I confirm this test doesn't work with NavigationMojoResponse but works with it.
I made a revert here:
https://chromium-review.googlesource.com/c/chromium/src/+/992094

Here is a stacktrace:

```
__asan::AsanOnDeadlySignal(int, void*, void*) 80
InvokeUserSignalHandler 300
art::FaultManager::HandleFault(int, siginfo*, void*) 364
pthread_mutex_init 112
base::internal::LockImpl::Lock() 80
base::SequenceCheckerImpl::CalledOnValidSequence() const 24
base::SupportsUserData::GetUserData(void const*) const 48
content::ResourceRequestInfoImpl::ForRequest(net::URLRequest*) 16
content::ThrottlingURLLoader::OnReceiveResponse(network::ResourceResponseHead const&, mojo::InterfacePtr<network::mojom::DownloadedTempFile>) 484
mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) 752
mojo::FilterChain::Accept(mojo::Message*) 164
mojo::InterfaceEndpointClient::HandleIncomingMessage(mojo::Message*) 116
mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) 652
mojo::internal::MultiplexRouter::Accept(mojo::Message*) 304
mojo::FilterChain::Accept(mojo::Message*) 164
mojo::Connector::ReadSingleMessage(unsigned int*) 340
mojo::Connector::ReadAllAvailableMessages() 136
mojo::Connector::OnHandleReadyInternal(unsigned int) 140
mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) 220
base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) 144
base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) 124
base::MessageLoop::RunTask(base::PendingTask*) 276
base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) 128
base::MessageLoop::DoWork() 236
base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) 100
base::MessageLoop::Run(bool) 140
base::RunLoop::Run() 248
base::Thread::Run(base::RunLoop*) 180
content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*) 20
content::BrowserProcessSubThread::Run(base::RunLoop*) 192
base::Thread::ThreadMain() 632
```

FYI: To run only one test, I modified android/webview/tools/run_cts.py. 
I added line 90: test_runner_args += ['f','android.webkit.cts.WebViewTest#testSetDownloadListener'];

Probably you know this already, but in case not:

the stack is missing some frames, I suspect from looking at it that it's in 
https://cs.chromium.org/chromium/src/content/browser/loader/navigation_url_loader_network_service.cc?rcl=407b343701e164cc7d115403826ceee5231093dc&l=840

I wonder if the crash is because of a race condition causing url_request to be null
net::URLRequest* url_request = rdh->GetURLRequest(global_request_id_);

Yes, for some reason, the |url_request| is null. That's the issue.

At some point the request is removed in between OnReceiveResponse() is sent and when it is received.

```
content::ResourceDispatcherHostImpl::RemovePendingRequest(int, int)
content::ResourceDispatcherHostImpl::DidFinishLoading(content::ResourceLoader*)
content::ResourceLoader::CallDidFinishLoading()
content::ResourceLoader::Resume(bool)
content::ResourceLoader::StartRequest()
content::ResourceLoader::ResponseCompleted()
content::ResourceLoader::OnReadCompleted(net::URLRequest*, int)
base::BarrierClosure(int, base::OnceCallback<void ()>)
base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*)
base::internal::IncomingTaskQueue::RunTask(base::PendingTask*)
base::MessageLoop::RunTask(base::PendingTask*)
base::MessageLoop::DeferOrRunPendingTask(base::PendingTask)
base::MessageLoop::DoWork()
base::MessagePumpLibevent::Run(base::MessagePump::Delegate*)
base::MessageLoop::Run(bool)
base::RunLoop::Run()
base::Thread::Run(base::RunLoop*)
content::BrowserProcessSubThread::IOThreadRun(base::RunLoop*)
content::BrowserProcessSubThread::Run(base::RunLoop*)
base::Thread::ThreadMain()
base::PlatformThread::GetCurrentThreadPriority()
```


Strangely, and I am probably wrong, it looks like it doesn't come from the PostTask in ResourceLoader::ReadMore(). This is weird because I don't it is the only place where it is called from a PostTask().

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b1de19fafd15eca9ab03ce0a190050d2eae9782e

commit b1de19fafd15eca9ab03ce0a190050d2eae9782e
Author: arthursonzogni <arthursonzogni@chromium.org>
Date: Tue Apr 03 19:55:10 2018

Fix race condition in the navigation_url_loader.

The race condition happens when UrlLoader::OnReceiveResponse() is
received, but the request is canceled in the meantime. In this case, there
are no more request and we must abort the loading.

It fixes the Android test:
android.webkit.cts.WebViewTest#testSetDownloadListener
in the Android compatibility test suite (CTS).

Bug:  828156 
Change-Id: I6bd6c2e89ab055f05ddab51b5cddebf4ff93bb47
Reviewed-on: https://chromium-review.googlesource.com/993057
Commit-Queue: John Abd-El-Malek <jam@chromium.org>
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Cr-Commit-Position: refs/heads/master@{#547798}
[modify] https://crrev.com/b1de19fafd15eca9ab03ce0a190050d2eae9782e/content/browser/loader/navigation_url_loader_network_service.cc

TPM: can we merge this before today's canary cut? This is a trivial null-check fix, thanks.

Requesting merge to M66, since the fix will unblock NavigationMojoResponse, which is targeting shipping in M66.

This bug requires manual review: We are only 13 days from stable.
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Has this landed in Canary yet? We have M66 Beta cut today at 3pm. How critical is this change? 

Checking with jam@, this is a safe change. Approving merge to M66. Branch:3359 - we will verify this in canary and m66 tomorrow. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/787d0f7de629d38ec58e61744e63d5dc1778d30c

commit 787d0f7de629d38ec58e61744e63d5dc1778d30c
Author: arthursonzogni <arthursonzogni@chromium.org>
Date: Tue Apr 03 20:53:04 2018

Fix race condition in the navigation_url_loader. (M66 merge)

The race condition happens when UrlLoader::OnReceiveResponse() is
received, but the request is canceled in the meantime. In this case, there
are no more request and we must abort the loading.

It fixes the Android test:
android.webkit.cts.WebViewTest#testSetDownloadListener
in the Android compatibility test suite (CTS).

Bug:  828156 
Change-Id: I6bd6c2e89ab055f05ddab51b5cddebf4ff93bb47
Reviewed-on: https://chromium-review.googlesource.com/993615
Reviewed-by: John Abd-El-Malek <jam@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#563}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[modify] https://crrev.com/787d0f7de629d38ec58e61744e63d5dc1778d30c/content/browser/loader/navigation_url_loader_network_service.cc

Please add manual verifications if any so we can verify the fix

Test is passing now:

I  442.293s Main  FINISHED TRY #1/3
I  442.293s Main  All tests completed.
C  442.293s Main  ********************************************************************************
C  442.293s Main  Summary
C  442.293s Main  ********************************************************************************
C  442.294s Main  [==========] 186 tests ran.
C  442.294s Main  [  PASSED  ] 186 tests.
C  442.294s Main  ********************************************************************************

Logs:
https://logs.chromium.org/v/?s=chromium%2Fbb%2Fchromium.android%2FAndroid_WebView_L__dbg_%2F14391%2F%2B%2Frecipes%2Fsteps%2FRun_CTS%2F0%2Fstdout

Will run test on official builds when available.

Issue 828661 has been merged into this issue.

Issue 829291 has been merged into this issue.

Issue 831122 has been merged into this issue.