Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/279708b3c8ed5b6d9b4ed452072458cb0f9047d0 ([LayoutTests] Replace multiple dump responses with one callback/struct.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This doesn't look related to layout tests specifically. I'm not really sure what the correct action is here. -> adamk for triage

This appears to be calling GetScriptOrigin on a null Local<Function> handle.

Glancing at the repro (and the fact that it calls gc()), this looks like a bindings/Oilpan bug, where somehow the passed-in function is null.

Unable to find actual suspect through code search and also observing no CL's under regression range, hence adding appropriate label and requesting someone from Dev team to look in to this issue.

Thanks!

I found the cause and now I'm writing a fix.

A fix patch is now under review.
https://chromium-review.googlesource.com/c/chromium/src/+/1237839

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/60cb383104586711e93c84a8b6ac804050e85270

commit 60cb383104586711e93c84a8b6ac804050e85270
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Sat Sep 22 02:28:46 2018

v8binding: Do not invoke FrameRequestCallback when iframe is detached.

Crash  issue 887661  is happening because an iframe is detached, but
the iframe is still invoking FrameRequestCallback without performing
wrapper-tracing.

In the repro case, callback function's realm = the parent's one, and
the incumbent realm = the parent's one, however, the callback is
registered on the iframe that will be detached.  Thus, any check
against callback function's realm and the incumbent realm does not
work well in this case.

This patch fixes the crash issue by checking the execution context
on the call sites.

Bug:  887661 
Change-Id: I1fa784add95424c9ff2c2b27ed3d2edbb920068e
Reviewed-on: https://chromium-review.googlesource.com/1237839
Reviewed-by: Hitoshi Yoshida <peria@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#593417}
[modify] https://crrev.com/60cb383104586711e93c84a8b6ac804050e85270/third_party/blink/renderer/core/dom/frame_request_callback_collection.cc

ClusterFuzz has detected this issue as fixed in range 593416:593417.

Detailed report: https://clusterfuzz.com/testcase?key=6242625697611776

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  v8::Function::GetScriptOrigin
  blink::AdTracker::Will
  blink::probe::CallFunction::CallFunction
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=545879:545880
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=593416:593417

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6242625697611776

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6242625697611776 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.