Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/c0327d09b6e4444caca64f3bd16ec0bd20034049 (Call Document::CheckCompleted() after CancelParsing..).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

I cleaned the test case:
~~~
<script>
  function submit() {
    document.onreadystatechange = function() {
      window.stop();
    };
    form.submit(); 
    video.pause(); 
  }
</script>

<body>

  <form id="form"> </form>
  <details ontoggle="submit()" open>
    <video id="video">
  </details>

</body>

~~~

I am working on a fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b07a01f3a6e4a5d0c72cb393be010536daec4a4a

commit b07a01f3a6e4a5d0c72cb393be010536daec4a4a
Author: Arthur Sonzogni <arthursonzogni@chromium.org>
Date: Wed Jun 27 15:08:08 2018

FrameLoader: Fix crash window.stop() in onreadystatechange.

The bug was introduced in:
https://chromium-review.googlesource.com/c/chromium/src/+/1107808

Soon after creating a new provisional DocumentLoader, the parser of the
current DocumentLoader is canceled. It can causes
document.onreadystatechange to fire. If window.stop() is called it can
remove the new provisional DocumentLoader.

This CL fixes the bug and add a regression test.

Bug:  856759 
Change-Id: Ifb39a75d04b250f0c97ebf07c5a9abf1f4631ff7
Reviewed-on: https://chromium-review.googlesource.com/1117038
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570774}
[add] https://crrev.com/b07a01f3a6e4a5d0c72cb393be010536daec4a4a/third_party/WebKit/LayoutTests/http/tests/navigation/form-submit-window-stop-in-onreadystatechange-expected.txt
[add] https://crrev.com/b07a01f3a6e4a5d0c72cb393be010536daec4a4a/third_party/WebKit/LayoutTests/http/tests/navigation/form-submit-window-stop-in-onreadystatechange.html
[modify] https://crrev.com/b07a01f3a6e4a5d0c72cb393be010536daec4a4a/third_party/blink/renderer/core/loader/frame_loader.cc

ClusterFuzz has detected this issue as fixed in range 570773:570774.

Detailed report: https://clusterfuzz.com/testcase?key=6214539532828672

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  FromDocumentLoader
  content::RenderFrameImpl::WillSubmitForm
  blink::LocalFrameClientImpl::DispatchWillSubmitForm
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=570001:570002
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=570773:570774

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6214539532828672

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6214539532828672 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.