There appears to be a problem with MSan reports on clusterfuzz. For now, here is the full report with origin stack traces:

==1==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f1cd4327972 in ?? third_party/WebKit/Source/core/css/parser/CSSParserToken.h:106:64
    #1 0x7f1cd43257b4 in operator() buildtools/third_party/libc++/trunk/include/algorithm:665:71
    #2 0x7f1cd43257b4 in equal<const blink::CSSParserToken *, const blink::CSSParserToken *, std::__1::__equal_to<blink::CSSParserToken, blink::CSSParserToken> > buildtools/third_party/libc++/trunk/include/algorithm:1193:0
    #3 0x7f1cd43257b4 in equal<const blink::CSSParserToken *, const blink::CSSParserToken *> buildtools/third_party/libc++/trunk/include/algorithm:1205:0
    #4 0x7f1cd43257b4 in compare third_party/WebKit/Source/wtf/Vector.h:257:0
    #5 0x7f1cd43257b4 in compare third_party/WebKit/Source/wtf/Vector.h:312:0
    #6 0x7f1cd43257b4 in operator==<blink::CSSParserToken, 0, 0, WTF::PartitionAllocator> third_party/WebKit/Source/wtf/Vector.h:1342:0
    #7 0x7f1cd43257b4 in operator== third_party/WebKit/Source/core/css/CSSVariableData.cpp:42:0
    #8 0x7f1cd5cf8f25 in dataEquivalent<blink::CSSVariableData> third_party/WebKit/Source/core/style/DataEquivalency.h:20:15
    #9 0x7f1cd5cf8f25 in dataEquivalent<blink::CSSVariableData> third_party/WebKit/Source/core/style/DataEquivalency.h:26:0
    #10 0x7f1cd5cf8f25 in operator== third_party/WebKit/Source/core/style/StyleVariableData.cpp:19:0
    #11 0x7f1cd5ce4e61 in dataEquivalent<blink::StyleVariableData> third_party/WebKit/Source/core/style/DataEquivalency.h:20:15
    #12 0x7f1cd5ce4e61 in dataEquivalent<blink::StyleVariableData> third_party/WebKit/Source/core/style/DataEquivalency.h:26:0
    #13 0x7f1cd5ce4e61 in operator== third_party/WebKit/Source/core/style/StyleRareInheritedData.cpp:233:0
    #14 0x7f1cd5c9376e in operator!= third_party/WebKit/Source/core/style/StyleRareInheritedData.h:68:24
    #15 0x7f1cd5c9376e in operator!= third_party/WebKit/Source/core/style/DataRef.h:65:0
    #16 0x7f1cd5c9376e in inheritedNotEqual third_party/WebKit/Source/core/style/ComputedStyle.cpp:428:0
    #17 0x7f1cd5c92b7b in stylePropagationDiff third_party/WebKit/Source/core/style/ComputedStyle.cpp:193:9
    #18 0x7f1cd3480827 in recalcOwnStyle third_party/WebKit/Source/core/dom/Element.cpp:1748:37
    #19 0x7f1cd347f569 in recalcStyle third_party/WebKit/Source/core/dom/Element.cpp:1699:22
    #20 0x7f1cd32e64b6 in recalcChildStyle third_party/WebKit/Source/core/dom/ContainerNode.cpp:1333:17
    #21 0x7f1cd347fb79 in recalcStyle third_party/WebKit/Source/core/dom/Element.cpp:1715:13
    #22 0x7f1cd32e64b6 in recalcChildStyle third_party/WebKit/Source/core/dom/ContainerNode.cpp:1333:17
    #23 0x7f1cd347fb79 in recalcStyle third_party/WebKit/Source/core/dom/Element.cpp:1715:13
    #24 0x7f1cd3377e3a in updateStyle third_party/WebKit/Source/core/dom/Document.cpp:1852:13
    #25 0x7f1cd3366fdd in updateLayoutTree third_party/WebKit/Source/core/dom/Document.cpp:1786:5
    #26 0x7f1cd4c50051 in updateStyleAndLayoutIfNeededRecursive third_party/WebKit/Source/core/frame/FrameView.cpp:2639:5
    #27 0x7f1cd4c4e280 in updateLifecyclePhasesInternal third_party/WebKit/Source/core/frame/FrameView.cpp:2475:5
    #28 0x7f1cd528a2dc in updateAllLifecyclePhases third_party/WebKit/Source/core/page/PageAnimator.cpp:85:5
    #29 0x7f1cd23cb765 in updateAllLifecyclePhases third_party/WebKit/Source/web/WebViewImpl.cpp:1965:5
    #30 0x7f1cdc56efe1 in UpdateLayerTreeHost content/renderer/gpu/render_widget_compositor.cc:932:3
    #31 0x7f1ccc1554af in BeginMainFrame cc/trees/proxy_main.cc:201:3
    #32 0x7f1ccc180aa0 in Run<scoped_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > base/bind_internal.h:181:12
    #33 0x7f1ccc180aa0 in MakeItSo<base::WeakPtr<cc::ProxyMain>, scoped_ptr<cc::BeginMainFrameAndCommitState, std::__1::default_delete<cc::BeginMainFrameAndCommitState> > > base/bind_internal.h:314:0
    #34 0x7f1ccc180aa0 in Run base/bind_internal.h:351:0
    #35 0x7f1cdd29cfe4 in Run base/callback.h:394:12
    #36 0x7f1cdd29cfe4 in RunTask base/debug/task_annotator.cc:51:0
    #37 0x7f1cdc381325 in ProcessTaskFromWorkQueue components/scheduler/base/task_queue_manager.cc:288:3
    #38 0x7f1cdc37b59f in DoWork components/scheduler/base/task_queue_manager.cc:200:13
    #39 0x7f1cdc3853c5 in Run<const base::TimeTicks &, const bool &> base/bind_internal.h:181:12
    #40 0x7f1cdc3853c5 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> base/bind_internal.h:314:0
    #41 0x7f1cdc3853c5 in Run base/bind_internal.h:351:0
    #42 0x7f1cdd29cfe4 in Run base/callback.h:394:12
    #43 0x7f1cdd29cfe4 in RunTask base/debug/task_annotator.cc:51:0
    #44 0x7f1cdd31554f in RunTask base/message_loop/message_loop.cc:476:3
    #45 0x7f1cdd3166e7 in DeferOrRunPendingTask base/message_loop/message_loop.cc:485:5
    #46 0x7f1cdd3171d5 in DoWork base/message_loop/message_loop.cc:597:13
    #47 0x7f1cdd323a13 in Run base/message_loop/message_pump_default.cc:33:21
    #48 0x7f1cdd3a9df4 in Run base/run_loop.cc:35:3
    #49 0x7f1cdd312ca4 in ?? base/message_loop/message_loop.cc:293:3
    #50 0x7f1cdc83ba95 in RendererMain content/renderer/renderer_main.cc:219:7
    #51 0x7f1cdd1c1017 in RunZygote content/app/content_main_runner.cc:316:14
    #52 0x7f1cdd1c3e94 in RunNamedProcessTypeMain content/app/content_main_runner.cc:403:12
    #53 0x7f1cdd1c70ca in Run content/app/content_main_runner.cc:764:12
    #54 0x7f1cdd1bf7c7 in ContentMain content/app/content_main.cc:19:15
    #55 0x7f1cc6a839c7 in ChromeMain chrome/app/chrome_main.cc:84:12
    #56 0x7f1cc6a83808 in ?? chrome/app/chrome_exe_main_aura.cc:17:10
    #57 0x7f1cbc519ec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287:0
    #58 0x7f1cc6a1ca74 in _start ??:?

  Uninitialized value was stored to memory at
    #0 0x7f1cc6a3a187 in __msan_memcpy ??:?
    #1 0x7f1cd4327edb in move third_party/WebKit/Source/wtf/Vector.h:172:13
    #2 0x7f1cd4327edb in move third_party/WebKit/Source/wtf/Vector.h:287:0
    #3 0x7f1cd4327edb in reserveCapacity third_party/WebKit/Source/wtf/Vector.h:1095:0
    #4 0x7f1cd4328392 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:1011:5
    #5 0x7f1cd4328392 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:1018:0
    #6 0x7f1cd4328392 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:830:0
    #7 0x7f1cd4328392 in appendSlowCase<const blink::CSSParserToken &> third_party/WebKit/Source/wtf/Vector.h:1196:0
    #8 0x7f1cd4326378 in append<const blink::CSSParserToken &> third_party/WebKit/Source/wtf/Vector.h:1186:5
    #9 0x7f1cd4326378 in updateTokens<unsigned char> third_party/WebKit/Source/core/css/CSSVariableData.cpp:34:0
    #10 0x7f1cd4325dd8 in consumeAndUpdateTokens third_party/WebKit/Source/core/css/CSSVariableData.cpp:62:9
    #11 0x7f1cd46287a3 in create third_party/WebKit/Source/core/css/CSSVariableData.h:24:29
    #12 0x7f1cd46287a3 in parseDeclarationValue third_party/WebKit/Source/core/css/parser/CSSVariableParser.cpp:130:0
    #13 0x7f1cd453dcfe in consumeVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:797:66
    #14 0x7f1cd453d1c4 in parseVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:59:5
    #15 0x7f1cd452b198 in parseValueForCustomProperty third_party/WebKit/Source/core/css/parser/CSSParser.cpp:89:12
    #16 0x7f1cd44c9ec7 in setProperty third_party/WebKit/Source/core/css/StylePropertySet.cpp:324:12
    #17 0x7f1cd4443fc4 in setPropertyInternal third_party/WebKit/Source/core/css/PropertySetCSSStyleDeclaration.cpp:289:19
    #18 0x7f1cd2b7ba0d in setPropertyMethod ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:222:5
    #19 0x7f1cd2b7ba0d in setPropertyMethodCallback ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:231:0
    #20 0x7f1ccff2fd09 in Call v8/src/arguments.cc:33:3
    #21 0x7f1cd0044b2e in HandleApiCallHelper<false> v8/src/builtins.cc:3942:34
    #22 0x7f1cd00a5290 in Builtin_Impl_HandleApiCall v8/src/builtins.cc:3966:3
    #23 0x7f1cd00a5290 in Builtin_HandleApiCall v8/src/builtins.cc:3963:0
    #24 0x7f1cd1d27695 in DoRuntimeCall v8/src/arm64/simulator-arm64.cc:610:27
    #25 0x7f1cd1d245d5 in ExecuteInstruction v8/src/arm64/simulator-arm64.h:315:5
    #26 0x7f1cd1d245d5 in Run v8/src/arm64/simulator-arm64.cc:446:0
    #27 0x7f1cd1d245d5 in CheckPCSComplianceAndRun v8/src/arm64/simulator-arm64.cc:252:0
    #28 0x7f1cd1d245d5 in CallVoid v8/src/arm64/simulator-arm64.cc:162:0
    #29 0x7f1cd1d24fc4 in CallInt64 v8/src/arm64/simulator-arm64.cc:169:3
    #30 0x7f1cd1d24fc4 in CallJS v8/src/arm64/simulator-arm64.cc:194:0
    #31 0x7f1cd0cf65a4 in Invoke v8/src/execution.cc:97:13
    #32 0x7f1cd0cf53eb in Call v8/src/execution.cc:163:10

  Uninitialized value was stored to memory at
    #0 0x7f1cc6a3a187 in __msan_memcpy ??:?
    #1 0x7f1cd4327edb in move third_party/WebKit/Source/wtf/Vector.h:172:13
    #2 0x7f1cd4327edb in move third_party/WebKit/Source/wtf/Vector.h:287:0
    #3 0x7f1cd4327edb in reserveCapacity third_party/WebKit/Source/wtf/Vector.h:1095:0
    #4 0x7f1cd4328392 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:1011:5
    #5 0x7f1cd4328392 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:1018:0
    #6 0x7f1cd4328392 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:830:0
    #7 0x7f1cd4328392 in appendSlowCase<const blink::CSSParserToken &> third_party/WebKit/Source/wtf/Vector.h:1196:0
    #8 0x7f1cd4326378 in append<const blink::CSSParserToken &> third_party/WebKit/Source/wtf/Vector.h:1186:5
    #9 0x7f1cd4326378 in updateTokens<unsigned char> third_party/WebKit/Source/core/css/CSSVariableData.cpp:34:0
    #10 0x7f1cd4325dd8 in consumeAndUpdateTokens third_party/WebKit/Source/core/css/CSSVariableData.cpp:62:9
    #11 0x7f1cd46287a3 in create third_party/WebKit/Source/core/css/CSSVariableData.h:24:29
    #12 0x7f1cd46287a3 in parseDeclarationValue third_party/WebKit/Source/core/css/parser/CSSVariableParser.cpp:130:0
    #13 0x7f1cd453dcfe in consumeVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:797:66
    #14 0x7f1cd453d1c4 in parseVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:59:5
    #15 0x7f1cd452b198 in parseValueForCustomProperty third_party/WebKit/Source/core/css/parser/CSSParser.cpp:89:12
    #16 0x7f1cd44c9ec7 in setProperty third_party/WebKit/Source/core/css/StylePropertySet.cpp:324:12
    #17 0x7f1cd4443fc4 in setPropertyInternal third_party/WebKit/Source/core/css/PropertySetCSSStyleDeclaration.cpp:289:19
    #18 0x7f1cd2b7ba0d in setPropertyMethod ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:222:5
    #19 0x7f1cd2b7ba0d in setPropertyMethodCallback ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:231:0
    #20 0x7f1ccff2fd09 in Call v8/src/arguments.cc:33:3
    #21 0x7f1cd0044b2e in HandleApiCallHelper<false> v8/src/builtins.cc:3942:34
    #22 0x7f1cd00a5290 in Builtin_Impl_HandleApiCall v8/src/builtins.cc:3966:3
    #23 0x7f1cd00a5290 in Builtin_HandleApiCall v8/src/builtins.cc:3963:0
    #24 0x7f1cd1d27695 in DoRuntimeCall v8/src/arm64/simulator-arm64.cc:610:27
    #25 0x7f1cd1d245d5 in ExecuteInstruction v8/src/arm64/simulator-arm64.h:315:5
    #26 0x7f1cd1d245d5 in Run v8/src/arm64/simulator-arm64.cc:446:0
    #27 0x7f1cd1d245d5 in CheckPCSComplianceAndRun v8/src/arm64/simulator-arm64.cc:252:0
    #28 0x7f1cd1d245d5 in CallVoid v8/src/arm64/simulator-arm64.cc:162:0
    #29 0x7f1cd1d24fc4 in CallInt64 v8/src/arm64/simulator-arm64.cc:169:3
    #30 0x7f1cd1d24fc4 in CallJS v8/src/arm64/simulator-arm64.cc:194:0
    #31 0x7f1cd0cf65a4 in Invoke v8/src/execution.cc:97:13
    #32 0x7f1cd0cf53eb in Call v8/src/execution.cc:163:10

  Uninitialized value was stored to memory at
    #0 0x7f1cc6a3a187 in __msan_memcpy ??:?
    #1 0x7f1cd4327edb in move third_party/WebKit/Source/wtf/Vector.h:172:13
    #2 0x7f1cd4327edb in move third_party/WebKit/Source/wtf/Vector.h:287:0
    #3 0x7f1cd4327edb in reserveCapacity third_party/WebKit/Source/wtf/Vector.h:1095:0
    #4 0x7f1cd4328392 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:1011:5
    #5 0x7f1cd4328392 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:1018:0
    #6 0x7f1cd4328392 in expandCapacity third_party/WebKit/Source/wtf/Vector.h:830:0
    #7 0x7f1cd4328392 in appendSlowCase<const blink::CSSParserToken &> third_party/WebKit/Source/wtf/Vector.h:1196:0
    #8 0x7f1cd4326378 in append<const blink::CSSParserToken &> third_party/WebKit/Source/wtf/Vector.h:1186:5
    #9 0x7f1cd4326378 in updateTokens<unsigned char> third_party/WebKit/Source/core/css/CSSVariableData.cpp:34:0
    #10 0x7f1cd4325dd8 in consumeAndUpdateTokens third_party/WebKit/Source/core/css/CSSVariableData.cpp:62:9
    #11 0x7f1cd46287a3 in create third_party/WebKit/Source/core/css/CSSVariableData.h:24:29
    #12 0x7f1cd46287a3 in parseDeclarationValue third_party/WebKit/Source/core/css/parser/CSSVariableParser.cpp:130:0
    #13 0x7f1cd453dcfe in consumeVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:797:66
    #14 0x7f1cd453d1c4 in parseVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:59:5
    #15 0x7f1cd452b198 in parseValueForCustomProperty third_party/WebKit/Source/core/css/parser/CSSParser.cpp:89:12
    #16 0x7f1cd44c9ec7 in setProperty third_party/WebKit/Source/core/css/StylePropertySet.cpp:324:12
    #17 0x7f1cd4443fc4 in setPropertyInternal third_party/WebKit/Source/core/css/PropertySetCSSStyleDeclaration.cpp:289:19
    #18 0x7f1cd2b7ba0d in setPropertyMethod ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:222:5
    #19 0x7f1cd2b7ba0d in setPropertyMethodCallback ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:231:0
    #20 0x7f1ccff2fd09 in Call v8/src/arguments.cc:33:3
    #21 0x7f1cd0044b2e in HandleApiCallHelper<false> v8/src/builtins.cc:3942:34
    #22 0x7f1cd00a5290 in Builtin_Impl_HandleApiCall v8/src/builtins.cc:3966:3
    #23 0x7f1cd00a5290 in Builtin_HandleApiCall v8/src/builtins.cc:3963:0
    #24 0x7f1cd1d27695 in DoRuntimeCall v8/src/arm64/simulator-arm64.cc:610:27
    #25 0x7f1cd1d245d5 in ExecuteInstruction v8/src/arm64/simulator-arm64.h:315:5
    #26 0x7f1cd1d245d5 in Run v8/src/arm64/simulator-arm64.cc:446:0
    #27 0x7f1cd1d245d5 in CheckPCSComplianceAndRun v8/src/arm64/simulator-arm64.cc:252:0
    #28 0x7f1cd1d245d5 in CallVoid v8/src/arm64/simulator-arm64.cc:162:0
    #29 0x7f1cd1d24fc4 in CallInt64 v8/src/arm64/simulator-arm64.cc:169:3
    #30 0x7f1cd1d24fc4 in CallJS v8/src/arm64/simulator-arm64.cc:194:0
    #31 0x7f1cd0cf65a4 in Invoke v8/src/execution.cc:97:13
    #32 0x7f1cd0cf53eb in Call v8/src/execution.cc:163:10

  Uninitialized value was stored to memory at
    #0 0x7f1cc6a3a187 in __msan_memcpy ??:?
    #1 0x7f1cd43283b2 in appendSlowCase<const blink::CSSParserToken &> third_party/WebKit/Source/wtf/Vector.h:1200:26
    #2 0x7f1cd4326378 in append<const blink::CSSParserToken &> third_party/WebKit/Source/wtf/Vector.h:1186:5
    #3 0x7f1cd4326378 in updateTokens<unsigned char> third_party/WebKit/Source/core/css/CSSVariableData.cpp:34:0
    #4 0x7f1cd4325dd8 in consumeAndUpdateTokens third_party/WebKit/Source/core/css/CSSVariableData.cpp:62:9
    #5 0x7f1cd46287a3 in create third_party/WebKit/Source/core/css/CSSVariableData.h:24:29
    #6 0x7f1cd46287a3 in parseDeclarationValue third_party/WebKit/Source/core/css/parser/CSSVariableParser.cpp:130:0
    #7 0x7f1cd453dcfe in consumeVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:797:66
    #8 0x7f1cd453d1c4 in parseVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:59:5
    #9 0x7f1cd452b198 in parseValueForCustomProperty third_party/WebKit/Source/core/css/parser/CSSParser.cpp:89:12
    #10 0x7f1cd44c9ec7 in setProperty third_party/WebKit/Source/core/css/StylePropertySet.cpp:324:12
    #11 0x7f1cd4443fc4 in setPropertyInternal third_party/WebKit/Source/core/css/PropertySetCSSStyleDeclaration.cpp:289:19
    #12 0x7f1cd2b7ba0d in setPropertyMethod ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:222:5
    #13 0x7f1cd2b7ba0d in setPropertyMethodCallback ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:231:0
    #14 0x7f1ccff2fd09 in Call v8/src/arguments.cc:33:3
    #15 0x7f1cd0044b2e in HandleApiCallHelper<false> v8/src/builtins.cc:3942:34
    #16 0x7f1cd00a5290 in Builtin_Impl_HandleApiCall v8/src/builtins.cc:3966:3
    #17 0x7f1cd00a5290 in Builtin_HandleApiCall v8/src/builtins.cc:3963:0
    #18 0x7f1cd1d27695 in DoRuntimeCall v8/src/arm64/simulator-arm64.cc:610:27
    #19 0x7f1cd1d245d5 in ExecuteInstruction v8/src/arm64/simulator-arm64.h:315:5
    #20 0x7f1cd1d245d5 in Run v8/src/arm64/simulator-arm64.cc:446:0
    #21 0x7f1cd1d245d5 in CheckPCSComplianceAndRun v8/src/arm64/simulator-arm64.cc:252:0
    #22 0x7f1cd1d245d5 in CallVoid v8/src/arm64/simulator-arm64.cc:162:0
    #23 0x7f1cd1d24fc4 in CallInt64 v8/src/arm64/simulator-arm64.cc:169:3
    #24 0x7f1cd1d24fc4 in CallJS v8/src/arm64/simulator-arm64.cc:194:0
    #25 0x7f1cd0cf65a4 in Invoke v8/src/execution.cc:97:13
    #26 0x7f1cd0cf53eb in Call v8/src/execution.cc:163:10
    #27 0x7f1ccfea647e in Call v8/src/api.cc:4397:7

  Uninitialized value was stored to memory at
    #0 0x7f1cc6a3a187 in __msan_memcpy ??:?
    #1 0x7f1cd46195cc in append<blink::CSSParserToken &> third_party/WebKit/Source/wtf/Vector.h:1181:30
    #2 0x7f1cd46195cc in Scope third_party/WebKit/Source/core/css/parser/CSSTokenizer.cpp:45:0
    #3 0x7f1cd453d120 in parseVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:58:25
    #4 0x7f1cd452b198 in parseValueForCustomProperty third_party/WebKit/Source/core/css/parser/CSSParser.cpp:89:12
    #5 0x7f1cd44c9ec7 in setProperty third_party/WebKit/Source/core/css/StylePropertySet.cpp:324:12
    #6 0x7f1cd4443fc4 in setPropertyInternal third_party/WebKit/Source/core/css/PropertySetCSSStyleDeclaration.cpp:289:19
    #7 0x7f1cd2b7ba0d in setPropertyMethod ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:222:5
    #8 0x7f1cd2b7ba0d in setPropertyMethodCallback ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:231:0
    #9 0x7f1ccff2fd09 in Call v8/src/arguments.cc:33:3
    #10 0x7f1cd0044b2e in HandleApiCallHelper<false> v8/src/builtins.cc:3942:34
    #11 0x7f1cd00a5290 in Builtin_Impl_HandleApiCall v8/src/builtins.cc:3966:3
    #12 0x7f1cd00a5290 in Builtin_HandleApiCall v8/src/builtins.cc:3963:0
    #13 0x7f1cd1d27695 in DoRuntimeCall v8/src/arm64/simulator-arm64.cc:610:27
    #14 0x7f1cd1d245d5 in ExecuteInstruction v8/src/arm64/simulator-arm64.h:315:5
    #15 0x7f1cd1d245d5 in Run v8/src/arm64/simulator-arm64.cc:446:0
    #16 0x7f1cd1d245d5 in CheckPCSComplianceAndRun v8/src/arm64/simulator-arm64.cc:252:0
    #17 0x7f1cd1d245d5 in CallVoid v8/src/arm64/simulator-arm64.cc:162:0
    #18 0x7f1cd1d24fc4 in CallInt64 v8/src/arm64/simulator-arm64.cc:169:3
    #19 0x7f1cd1d24fc4 in CallJS v8/src/arm64/simulator-arm64.cc:194:0
    #20 0x7f1cd0cf65a4 in Invoke v8/src/execution.cc:97:13
    #21 0x7f1cd0cf53eb in Call v8/src/execution.cc:163:10
    #22 0x7f1ccfea647e in Call v8/src/api.cc:4397:7
    #23 0x7f1cd25c0dc3 in callFunction third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:465:40
    #24 0x7f1cd2487f08 in execute third_party/WebKit/Source/bindings/core/v8/ScheduledAction.cpp:119:9
    #25 0x7f1cd4bc10df in fired third_party/WebKit/Source/core/frame/DOMTimer.cpp:120:9
    #26 0x7f1ccf0027a5 in runInternal third_party/WebKit/Source/platform/Timer.cpp:134:5

  Uninitialized value was stored to memory at
    #0 0x7f1cd4561d48 in ?? third_party/WebKit/Source/core/css/parser/CSSParserToken.cpp:43:7
    #1 0x7f1cd4620d41 in consumeNumber third_party/WebKit/Source/core/css/parser/CSSTokenizer.cpp:467:12
    #2 0x7f1cd461afc7 in consumeNumericToken third_party/WebKit/Source/core/css/parser/CSSTokenizer.cpp:473:28
    #3 0x7f1cd46170f7 in asciiDigit third_party/WebKit/Source/core/css/parser/CSSTokenizer.cpp:336:12
    #4 0x7f1cd4619508 in nextToken third_party/WebKit/Source/core/css/parser/CSSTokenizer.cpp:386:16
    #5 0x7f1cd4619508 in Scope third_party/WebKit/Source/core/css/parser/CSSTokenizer.cpp:40:0
    #6 0x7f1cd453d120 in parseVariableValue third_party/WebKit/Source/core/css/parser/CSSParserImpl.cpp:58:25
    #7 0x7f1cd452b198 in parseValueForCustomProperty third_party/WebKit/Source/core/css/parser/CSSParser.cpp:89:12
    #8 0x7f1cd44c9ec7 in setProperty third_party/WebKit/Source/core/css/StylePropertySet.cpp:324:12
    #9 0x7f1cd4443fc4 in setPropertyInternal third_party/WebKit/Source/core/css/PropertySetCSSStyleDeclaration.cpp:289:19
    #10 0x7f1cd2b7ba0d in setPropertyMethod ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:222:5
    #11 0x7f1cd2b7ba0d in setPropertyMethodCallback ./out/msan/gen/blink/bindings/core/v8/V8CSSStyleDeclaration.cpp:231:0
    #12 0x7f1ccff2fd09 in Call v8/src/arguments.cc:33:3
    #13 0x7f1cd0044b2e in HandleApiCallHelper<false> v8/src/builtins.cc:3942:34
    #14 0x7f1cd00a5290 in Builtin_Impl_HandleApiCall v8/src/builtins.cc:3966:3
    #15 0x7f1cd00a5290 in Builtin_HandleApiCall v8/src/builtins.cc:3963:0
    #16 0x7f1cd1d27695 in DoRuntimeCall v8/src/arm64/simulator-arm64.cc:610:27
    #17 0x7f1cd1d245d5 in ExecuteInstruction v8/src/arm64/simulator-arm64.h:315:5
    #18 0x7f1cd1d245d5 in Run v8/src/arm64/simulator-arm64.cc:446:0
    #19 0x7f1cd1d245d5 in CheckPCSComplianceAndRun v8/src/arm64/simulator-arm64.cc:252:0
    #20 0x7f1cd1d245d5 in CallVoid v8/src/arm64/simulator-arm64.cc:162:0
    #21 0x7f1cd1d24fc4 in CallInt64 v8/src/arm64/simulator-arm64.cc:169:3
    #22 0x7f1cd1d24fc4 in CallJS v8/src/arm64/simulator-arm64.cc:194:0
    #23 0x7f1cd0cf65a4 in Invoke v8/src/execution.cc:97:13
    #24 0x7f1cd0cf53eb in Call v8/src/execution.cc:163:10
    #25 0x7f1ccfea647e in Call v8/src/api.cc:4397:7
    #26 0x7f1cd25c0dc3 in callFunction third_party/WebKit/Source/bindings/core/v8/V8ScriptRunner.cpp:465:40

  Uninitialized value was created by an allocation of 'token' in the stack frame of function '_ZN5blink12CSSTokenizer5ScopeC2ERKN3WTF6StringE'
    #0 0x7f1cd4618df0 in Scope third_party/WebKit/Source/core/css/parser/CSSTokenizer.cpp:21:0

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=5383366632800256

leviw@, could you take a look at this issue? Please feel free to reassign. 
Thanks!

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5383366632800256

Uploader: jialiul@chromium.org
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::CSSParserToken::operator==
  blink::CSSVariableData::operator==
  blink::StyleVariableData::operator==
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=365815:365828

Minimized Testcase (0.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ZmQHmQRSkKcwiochwwJ2hJYbveG4cSdZDla4cgiO0ipOqDMe-fDpXaCA--dvqOQEolvIvIjJLGdn8e-gsgZ5YgvfsCWffIKYzVME10KhKoKIqZGcqo8KNYlP5Atznff5jQDDPJQ4PPN50Cdr91V7D6jFPFw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

To Tim to route.

Our bots picked up on this too (see  bug 591092 )

I think this was introduced by https://codereview.chromium.org/1537523003 although I'm not sure why it only actually showed up now. Doesn't seem like this has a real security impact, at worst we're doing a style recalc based on whether two uninitialized values are equal.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5251704041242624

Fuzzer: attekett_dom_fuzzer
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::CSSParserToken::operator==
  blink::CSSVariableData::operator==
  blink::StyleVariableData::operator==
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=365815:365828

Minimized Testcase (0.28 Kb): https://cluster-fuzz.appspot.com/download/AMIfv968ESuNIXJwTtdRdOmxxGpkbq1G8py47-1Ug0szZ38xZF7p0Dqk7OjY3UBOZ48tnTK6C4_X70cErLQ65L_VGHlKIldsvqTAK3m-wXx8Vihz1aE8wBEJCSKBONi9pMQ0vSSLCXRaxqskMIQnnAthbe9UA79czA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

timloh@: Uh oh! This issue is still open and hasn't been updated in the last 21 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

timloh@: Uh oh! This issue is still open and hasn't been updated in the last 42 days. Since this is a serious security vulnerability, we want to make sure progress is happening. Can you update the bug with current status, and what, if anything, is blocking?

If you are not the right Owner for this bug, please find someone else to own it as soon as possible and remove yourself as Owner.

If the issue is already fixed or you are to unable to reproduce it, please close the bug. (And thanks for fixing the bug!).

These nags can be disabled by adding a 'WIP' label and an optional codereview link.

- Your friendly ClusterFuzz

timloh: Uh oh! This issue still open and hasn't been updated in the last 50 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b59bf7c191bc204ceb046c2743246ff45a8798f6

commit b59bf7c191bc204ceb046c2743246ff45a8798f6
Author: timloh <timloh@chromium.org>
Date: Fri Apr 29 05:02:17 2016

Fix CSSParserToken::operator== for NumberTokens

This patch fixes equality for CSSParserToken to not compare the
dimension values when comparing NumberTokens. These are only valid
for DimensionTokens. We also now compare whether tokens were specified
with a sign (+/-/nothing) for dimensions and percentages.

Since the operator== function is fairly large, it is also moved from
the header file to the .cpp file.

BUG= 590801 

Review-Url: https://codereview.chromium.org/1905163003
Cr-Commit-Position: refs/heads/master@{#390593}

[modify] https://crrev.com/b59bf7c191bc204ceb046c2743246ff45a8798f6/third_party/WebKit/LayoutTests/fast/css/variables/multiple-writes-to-inline-style.html
[modify] https://crrev.com/b59bf7c191bc204ceb046c2743246ff45a8798f6/third_party/WebKit/Source/core/css/parser/CSSParserToken.cpp
[modify] https://crrev.com/b59bf7c191bc204ceb046c2743246ff45a8798f6/third_party/WebKit/Source/core/css/parser/CSSParserToken.h

ClusterFuzz has detected this issue as fixed in range 390527:390610.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5383366632800256

Uploader: jialiul@chromium.org
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::CSSParserToken::operator==
  blink::CSSVariableData::operator==
  blink::StyleVariableData::operator==
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=365815:365828
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=390527:390610

Minimized Testcase (0.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ZmQHmQRSkKcwiochwwJ2hJYbveG4cSdZDla4cgiO0ipOqDMe-fDpXaCA--dvqOQEolvIvIjJLGdn8e-gsgZ5YgvfsCWffIKYzVME10KhKoKIqZGcqo8KNYlP5Atznff5jQDDPJQ4PPN50Cdr91V7D6jFPFw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

As per my comment #10, I don't think we need a merge.

I'm afraid our reward panel declined to reward this issue, as they deemed it non-exploitable.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot