Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/62898a131761fbeeac3f2b2f7c2c0512f7ca14a9 (Enable Unprefixed Fullscreen API by default.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

I don't believe my change was the cause here. There is no fullscreen entering in the test case. Add Blink>Internals>WTF, perhaps this a duplicate of an already know issue?

Unable to find actual suspect through code search and also observing no CL's under regression range, hence adding appropriate label and requesting someone from Dev team to look in to this issue.

Thanks!

This is definitely media related.

- Oilpan GC runs prefinalizer, which calls MediaStreamComponent::Dispose()
- content::MediaStreamSource::FinalizeStopSource() is called
- blink::MediaStreamSource::SetReadyState(blink::MediaStreamSource::ReadyState)
  is called
- Then blink::MediaStream::ScheduleDispatchEvent(blink::Event*) is called
- The function expands a HeapVector<Member<Event>>, which is disallowed during
  Oilpan GC

I'll take a look. Is it really a P1?

ClusterFuzz has detected this issue as fixed in range 606567:606568.

Detailed report: https://clusterfuzz.com/testcase?key=6309296688857088

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !Allocator::IsObjectResurrectionForbidden() in vector.h
  void WTF::Vector<blink::Member<blink::Event>, 0u, blink::HeapAllocator>::AppendS
  blink::MediaStream::ScheduleDispatchEvent
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=589183:589185
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=606567:606568

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6309296688857088

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This is not fixed,  but I'm working on a fix.

ClusterFuzz testcase 6309296688857088 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a0f627ca3ea6ffc4894ff9eb603825e1c07d2d64

commit a0f627ca3ea6ffc4894ff9eb603825e1c07d2d64
Author: Guido Urdaneta <guidou@chromium.org>
Date: Fri Nov 16 12:51:38 2018

Prevent garbage collection of MediaStream objects with pending events.

This fixes a clusterfuzz crash that is hard to reproduce in test
environments.

Bug:  899575 
Change-Id: Ic901c580769ab539850d97360e28727078033e56
Reviewed-on: https://chromium-review.googlesource.com/c/1338084
Commit-Queue: Guido Urdaneta <guidou@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Cr-Commit-Position: refs/heads/master@{#608745}
[modify] https://crrev.com/a0f627ca3ea6ffc4894ff9eb603825e1c07d2d64/third_party/blink/renderer/modules/mediastream/media_stream.cc
[modify] https://crrev.com/a0f627ca3ea6ffc4894ff9eb603825e1c07d2d64/third_party/blink/renderer/modules/mediastream/media_stream.h
[modify] https://crrev.com/a0f627ca3ea6ffc4894ff9eb603825e1c07d2d64/third_party/blink/renderer/modules/mediastream/media_stream.idl