ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5756848992681984.

Thanks for the report! Marking this high severity and passing along to PictureInPicture experts.

Can you reproduce this, and let me know if PiP is enabled by default, and whether all of the select OS's enable PiP by default?

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=5672042044850176.

Testcase 5756848992681984 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5756848992681984.

Testcase 5672042044850176 failed to reproduce the crash. Please inspect the program output at https://clusterfuzz.com/testcase?key=5672042044850176.

I think I've found the root issue. element->GetWebMediaPlayer() is NULL at

 element->GetWebMediaPlayer()->RegisterPictureInPictureWindowResizeCallback(
      WTF::BindRepeating(&PictureInPictureWindow::OnResize,
                         WrapPersistent(picture_in_picture_window_.Get())));

See https://chromium-review.googlesource.com/c/chromium/src/+/1068066/6/third_party/blink/renderer/modules/picture_in_picture/picture_in_picture_controller_impl.cc

We could either fix it now by simply calling RegisterPictureInPictureWindowResizeCallback if GetWebMediaPlayer() is valid. Or we can wait for https://chromium-review.googlesource.com/c/chromium/src/+/1379049 to land.

What do you think Mounir?

Here's the WIP CL at https://chromium-review.googlesource.com/c/chromium/src/+/1397640 if you want to have a look.

fbeaufort, ClusterFuzz can't repro the issue. Can you repro this on trunk and other channels? If the issue is actually live, it may be better to land a fix so it can easily be merged to branches. My change will be way too large to be merged.

I can repro on trunk and stable.

1. Go to https://googlechrome.github.io/samples/picture-in-picture/
2. Open DevTools and run `video.onenterpictureinpicture = _ => { video.load(); }`
3. Click "Toggle Picture-in-Picture" button
4. Enjoy tab crashing!

If you can review CL at https://chromium-review.googlesource.com/c/chromium/src/+/1397640, I'll push and ask for merge.

Is this a NULL pointer dereference? Or a use after free? If it is just a NULL pointer dereference, we can remove the security restrictions and you don't have to do any merging to previous branches.

AFAICT, this is a NULL pointer dereference. The fix is a null-check.

Got it, thanks!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b3247680c5f16170a20ce0c01392285fcbb1a4cb

commit b3247680c5f16170a20ce0c01392285fcbb1a4cb
Author: François Beaufort <beaufort.francois@gmail.com>
Date: Wed Jan 09 20:09:16 2019

Fix Picture-in-Picture crash

Bug:  917890 
Change-Id: Iee449a69d5208e1640492659e179506bbdcc2193
Reviewed-on: https://chromium-review.googlesource.com/c/1397640
Reviewed-by: Mounir Lamouri <mlamouri@chromium.org>
Commit-Queue: François Beaufort <beaufort.francois@gmail.com>
Cr-Commit-Position: refs/heads/master@{#621283}
[modify] https://crrev.com/b3247680c5f16170a20ce0c01392285fcbb1a4cb/third_party/blink/renderer/modules/picture_in_picture/picture_in_picture_controller_impl.cc
[add] https://crrev.com/b3247680c5f16170a20ce0c01392285fcbb1a4cb/third_party/blink/web_tests/media/picture-in-picture/clear-after-pip.html

Fixed and verified in Chrome Canary 73.0.3667.0 for macOS