Fix viz hit testing clusterfuzz issue

Because the hit test query fuzzer generates hit test flags and async hit
test reasons independently, it sometimes triggers a DCHECK that verifies
correct reasons have been set when there is an asynchronous hit testing
being performed.

This CL fixes it by generating non-kNotAsycnHitTest reasons only when
the fuzz flags contain kHitTestAsk.

Bug: 905463
Change-Id: Ibf73d7138951af93b7fe2029242d6e062ff1a11d
Reviewed-on: https://chromium-review.googlesource.com/c/1338139Reviewed-by: Ria Jiang <riajiang@chromium.org>
Commit-Queue: Xianda Sun <sunxd@chromium.org>
Cr-Commit-Position: refs/heads/master@{#608447}

components/viz/host/hit_test/hit_test_query_fuzzer.cc

@@ -26,7 +26,11 @@ void AddHitTestRegion(base::FuzzedDataProvider* fuzz,
     return;
   viz::FrameSinkId frame_sink_id(GetNextUInt32(fuzz), GetNextUInt32(fuzz));
   uint32_t flags = GetNextUInt32(fuzz);
-  uint32_t reasons = GetNextUInt32(fuzz);
+  // The reasons' value is kNotAsyncHitTest if the flag's value is kHitTestAsk.
+  uint32_t reasons =
+      (flags | viz::HitTestRegionFlags::kHitTestAsk)
+          ? fuzz->ConsumeUint32InRange(1, std::numeric_limits<uint32_t>::max())
+          : viz::AsyncHitTestReasons::kNotAsyncHitTest;
   gfx::Rect rect(fuzz->ConsumeUint8(), fuzz->ConsumeUint8(),
                  fuzz->ConsumeUint16(), fuzz->ConsumeUint16());
   int32_t child_count =