Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/c0327d09b6e4444caca64f3bd16ec0bd20034049 (Call Document::CheckCompleted() after CancelParsing..).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

 Issue 856529  has been merged into this issue.

I minimized/cleaned the test case:
~~~
<script>
  function remove_iframe() {
    iframe.parentNode.removeChild(iframe);
  }
  function navigate_iframe() {
    iframe.src = "y"; 
  }
</script>

<body onload="remove_iframe()">
  <iframe id="iframe" src="x"></iframe>
  <style onload="navigate_iframe()"></style>
</body>
~~~

I am working on a fix. The issue is the iframe is removed while replacing a provisional DocumentLoader by the new one.

WIP fix: https://chromium-review.googlesource.com/c/chromium/src/+/1114975

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4c7cbb60757a7ad3943d9464dab00b6d021c248c

commit 4c7cbb60757a7ad3943d9464dab00b6d021c248c
Author: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Wed Jun 27 14:12:25 2018

Fix frame being detached while replacing DocumentLoader.

When the FrameLoader start a new load. It replaces the current
provisional DocumentLoader by a new one. Removing the first one can
leave the frame without any loading DocumentLoader and triggers the
'load' event, which can detach the frame.

The bug was caused by:
https://chromium-review.googlesource.com/c/chromium/src/+/1107808
where the line checking whether the frame was detached or not was
removed.

It is now clear why this line was useful, so this CL adds it back.

Bug:  856396 
Change-Id: I1bdeb47e546dbb1805659bc986d590e9900c51d1
Reviewed-on: https://chromium-review.googlesource.com/1114975
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570754}
[modify] https://crrev.com/4c7cbb60757a7ad3943d9464dab00b6d021c248c/content/browser/browser_side_navigation_browsertest.cc
[modify] https://crrev.com/4c7cbb60757a7ad3943d9464dab00b6d021c248c/third_party/blink/renderer/core/loader/frame_loader.cc

ClusterFuzz testcase 5658657585627136 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 570753:570754.

Detailed report: https://clusterfuzz.com/testcase?key=5180704498122752

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000028
Crash State:
  blink::ProgressTracker::Reset
  blink::ProgressTracker::ProgressStarted
  blink::FrameLoader::StartLoad
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=570001:570002
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=570753:570754

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5180704498122752

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.