Predator and CL could not provide any possible suspects.

Using Code Search for the file, "dedicated_worker.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/290fa6c74fa7e70c9d3aabdf57cb8dedf8e09b88

fserb@ -- Could you please look into this issue.

Thanks!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9ba7eb692e7660a5fd9b821922a71a762304572d

commit 9ba7eb692e7660a5fd9b821922a71a762304572d
Author: Fernando Serboncini <fserb@chromium.org>
Date: Tue Jul 17 20:49:35 2018

Check tree view is ready when creating DedicatedWorker

This is needed to get frame sink ids for DedicatedWorkers' RAF.

Bug:  863698 
Change-Id: I0bd86ac9271d3f00ee5cb00522896ff152ef7bb6
Reviewed-on: https://chromium-review.googlesource.com/1140278
Reviewed-by: Justin Novosad <junov@chromium.org>
Commit-Queue: Fernando Serboncini <fserb@chromium.org>
Cr-Commit-Position: refs/heads/master@{#575762}
[modify] https://crrev.com/9ba7eb692e7660a5fd9b821922a71a762304572d/third_party/blink/renderer/core/workers/dedicated_worker.cc

ClusterFuzz has detected this issue as fixed in range 575761:575762.

Detailed report: https://clusterfuzz.com/testcase?key=4629746697371648

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::DedicatedWorker::CreateBeginFrameProviderParams
  blink::DedicatedWorker::CreateGlobalScopeCreationParams
  blink::DedicatedWorker::OnFinished
  
Sanitizer: undefined (UBSAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=575761:575762

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4629746697371648

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4629746697371648 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Issue 864966 has been merged into this issue.

Just to update the latest behavior of this issue in the latest channels:

Updating details of Magic Signature - blink::DedicatedWorker::CreateBeginFrameProviderParams here as  Issue 864966 is duped into this issue in C#8.

Still seeing 43 crashes from 6 clients so far on latest beta - 68.0.3440.70 on Android OS. This crash is ranked as number #28 in 'Renderer' beta crashes. 

68.0.3440.85	0.51%	2 - Stable
68.0.3440.70	79.08%	310 - Beta & previous stable
So far crashes are not observed on latest Dev and Canary.

Link to the list of builds:
-------------------------
https://crash.corp.google.com/browse?q=product_name%3D%27Chrome_Android%27+AND+expanded_custom_data.ChromeCrashProto.channel%3D%27beta%27+AND+expanded_custom_data.ChromeCrashProto.ptype%3D%27renderer%27+AND+expanded_custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ADedicatedWorker%3A%3ACreateBeginFrameProviderParams%27

Thanks!

Issue 873040 has been merged into this issue.

fserb@: Can we merge the fix into M68? Looks like the number of crashes that have a different magic signature but maybe the same root cause are getting bigger:

https://crash.corp.google.com/browse?q=STARTS_WITH(product.name%2C%20%27Chrome%27)%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27blink%3A%3ADedicatedWorker%3A%3ACreateGlobalScopeCreationParams%27

Are we still doing those? If so, it's a simple change and we could merge.

It seems we are getting around 100 crashes/day, which in the big scheme of the universe doesn't mean much.
We don't have a new M68 release planned. I'll close this for now, and reopen if we come up with a new release.