Unable to find the exact suspect hence assigning to piman@ from https://code.google.com/p/chromium/codesearch#chromium/src/ppapi/proxy/OWNERS&sq=package:chromium&type=cs for further investigation.

raymes@, do you think you could take a look? I suspect what's going on is that the ObjectProxy that we create, which should be owned by the created PP_Var, isn't properly destructed in error cases.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ef46412b5f33167050076c125f81d670ec7bdab6

commit ef46412b5f33167050076c125f81d670ec7bdab6
Author: raymes <raymes@chromium.org>
Date: Thu Mar 17 00:32:53 2016

Ensure that the ppp_class_data is freed when a PluginObject isn't created

PluginObject creation can fail if there isn't a valid V8 context. In this
case we need to take care to free the ppp_class_data.

BUG= 594926 

Review URL: https://codereview.chromium.org/1805303002

Cr-Commit-Position: refs/heads/master@{#381605}

[modify] https://crrev.com/ef46412b5f33167050076c125f81d670ec7bdab6/content/renderer/pepper/plugin_object.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0868033af81c965c393c4ca6d9ac1fc81001f593

commit 0868033af81c965c393c4ca6d9ac1fc81001f593
Author: raymes <raymes@chromium.org>
Date: Thu Mar 31 00:03:44 2016

Ensure we don't leak ObjectProxy objects

Previously, if an instance was destroyed before a plugin object
had a chance to be destroyed, it would be leaked. Now we always attempt
to deallocate the object if the instance is destroyed prior to the object.

BUG= 594926 

Review URL: https://codereview.chromium.org/1839933002

Cr-Commit-Position: refs/heads/master@{#384148}

[modify] https://crrev.com/0868033af81c965c393c4ca6d9ac1fc81001f593/content/renderer/pepper/plugin_object.cc

This should be fixed now, hopefully clusterfuzz agrees :)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6e1fff1a66e259fe3e19d0e75e5d432faf51af8d

commit 6e1fff1a66e259fe3e19d0e75e5d432faf51af8d
Author: thakis <thakis@chromium.org>
Date: Thu Mar 31 01:52:09 2016

Revert of Ensure we don't leak ObjectProxy objects (patchset #2 id:20001 of https://codereview.chromium.org/1839933002/ )

Reason for revert:
Somewhat speculative; PPAPITest.Instance_LeakedObjectDestructors started falling on several bots with `Assertion failed: (false), function ~BadDestructorObject, file ../../ppapi/tests/test_instance_deprecated.cc, line 234.`.

Examples:
https://build.chromium.org/p/chromium.mac/builders/Mac10.9%20Tests%20%28dbg%29/builds/21858
https://build.chromium.org/p/chromium.win/builders/Win8%20GN%20%28dbg%29/builds/23233
https://build.chromium.org/p/chromium.win/builders/Win%20x64%20GN%20%28dbg%29/builds/19901
https://build.chromium.org/p/chromium.linux/builders/Linux%20Tests%20%28dbg%29%281%29%2832%29/builds/27197

Original issue's description:
> Ensure we don't leak ObjectProxy objects
>
> Previously, if an instance was destroyed before a plugin object
> had a chance to be destroyed, it would be leaked. Now we always attempt
> to deallocate the object if the instance is destroyed prior to the object.
>
> BUG= 594926 
>
> Committed: https://crrev.com/0868033af81c965c393c4ca6d9ac1fc81001f593
> Cr-Commit-Position: refs/heads/master@{#384148}

TBR=piman@chromium.org,raymes@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 594926 

Review URL: https://codereview.chromium.org/1834223009

Cr-Commit-Position: refs/heads/master@{#384184}

[modify] https://crrev.com/6e1fff1a66e259fe3e19d0e75e5d432faf51af8d/content/renderer/pepper/plugin_object.cc

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6560019164430336

Fuzzer: attekett_dom_fuzzer
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  ppapi::proxy::PPP_Class_Proxy::CreateProxiedObject
  ppapi::proxy::PPB_Var_Deprecated_Proxy::OnMsgCreateObjectDeprecated
  bool IPC::MessageT<PpapiHostMsg_PPBVar_CreateObjectDeprecated_Meta, std::__1::tu
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95hq56vdnHw353FQlgppquSV5RokgDZNvSqIOV-4souOQsDyE1YUuKvdlKhIecpHK04fqke1RwbBTJeb_-VYIobQpzUJdrVjYw3NRclqKu5kjveUGF50eYeF4fj9iwAtAvAs_gfLjq3XW5lQPpJb3G-eCqmiQ
<object id="obj1">
	<embed src="images/acc2.swf"</embed></object><script> 
function convertArrayToStrings(array){array.forEach(function(){;}); return array};
var test1=document.getElementById("obj1")
var test3=test1.appendChild(document.createElement("ul"))
test1.innerText=convertArrayToStrings([])
gc()
</script>


Additional requirements: Requires Gestures

Filer: nyerramilli

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6560019164430336

Fuzzer: attekett_dom_fuzzer
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  ppapi::proxy::PPP_Class_Proxy::CreateProxiedObject
  ppapi::proxy::PPB_Var_Deprecated_Proxy::OnMsgCreateObjectDeprecated
  bool IPC::MessageT<PpapiHostMsg_PPBVar_CreateObjectDeprecated_Meta, std::__1::tu
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703

Minimized Testcase (34.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97hnkegjM4BPlF7qZig048tIZNQRZvQNmh15JFTV_3tInI2GuykzmV8VU1iop1Dj7sK1sb5YAfO_9q04WnzqntoqSMQOi0CX5sgtzfUwtliN2ft47oPQjV67KUZnI-WY1hw6clye5uNyru5PBiR-0KcJ6tsyl1mMKwtZkN5B7rYzRQd0KU?testcase_id=6560019164430336

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5429691171471360

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  ppapi::proxy::PPP_Class_Proxy::CreateProxiedObject
  ppapi::proxy::PPB_Var_Deprecated_Proxy::OnMsgCreateObjectDeprecated
  bool IPC::MessageT<PpapiHostMsg_PPBVar_CreateObjectDeprecated_Meta, std::__1::tu
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96xOYxJo99HWnwhwOZbaBTAft1vyK_6hQn9c4JR8Cx3xHX9h_CYFsQXXaz_qFp-oguerUGCggqteDjYpVBoWJV2uoYqfYAqKxj_vPhvV5RxsqS0Xy21Cw6hwWjqQ2CKwJdjWAAENrZE6YyjDwKdqu2ei7eHsw?testcase_id=5429691171471360
<object data="ReferenceFuzzer.swf?seed=1662614376" id=tCF2><script>
function forceGC() { try{gc(); } catch(e) {; } }
setTimeout("tCFcrash()");
function tCF_custom_1() {
 tCF2.parentNode.removeChild(tCF2);  forceGC(); 
}
function tCFcrash() {
tCF_custom_1()
}</script>


Additional requirements: Requires Gestures

Additional requirements: Requires HTTP

Filer: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5429691171471360

Fuzzer: inferno_twister
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  ppapi::proxy::PPP_Class_Proxy::CreateProxiedObject
  ppapi::proxy::PPB_Var_Deprecated_Proxy::OnMsgCreateObjectDeprecated
  bool IPC::MessageT<PpapiHostMsg_PPBVar_CreateObjectDeprecated_Meta, std::__1::tu
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=383194:384397

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96xOYxJo99HWnwhwOZbaBTAft1vyK_6hQn9c4JR8Cx3xHX9h_CYFsQXXaz_qFp-oguerUGCggqteDjYpVBoWJV2uoYqfYAqKxj_vPhvV5RxsqS0Xy21Cw6hwWjqQ2CKwJdjWAAENrZE6YyjDwKdqu2ei7eHsw?testcase_id=5429691171471360
<object data="ReferenceFuzzer.swf?seed=1662614376" id=tCF2><script>
function forceGC() { try{gc(); } catch(e) {; } }
setTimeout("tCFcrash()");
function tCF_custom_1() {
 tCF2.parentNode.removeChild(tCF2);  forceGC(); 
}
function tCFcrash() {
tCF_custom_1()
}</script>


Additional requirements: Requires Gestures

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5874626165211136

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Direct-leak
Crash Address: 
Crash State:
  ppapi::proxy::PPP_Class_Proxy::CreateProxiedObject
  ppapi::proxy::PPB_Var_Deprecated_Proxy::OnMsgCreateObjectDeprecated
  bool IPC::MessageT<PpapiHostMsg_PPBVar_CreateObjectDeprecated_Meta, std::__1::tu
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=383194:384397

Minimized Testcase (0.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94-Muy5HMVTidYPzRJkFaKFFsm6rY3_seGS77K2hto1ARAKUzZXfVUemDAkjL8-RPLzFYErDl1pwWIvqrl2es97DcNFJMEfJH8FqVTHUn7l5qw0WrZnDjcEmH-Dl36Mt5wij9dD8xZ7_mM53JpTxHaGwohW9g?testcase_id=5874626165211136

Additional requirements: Requires HTTP

Filer: rnimmagadda

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Gentle Ping.

@raymes: Could you please provide some update on this issue.

Thank you.

I spent a bunch of time on this, but it turned out to be hard to fix this without hacks or major changes. I wasn't sure it was worth spending more time - the leak only affects flash synchronous scripting. piman@ what do you think?

That leak has been there virtually forever... It would be nice to fix, but I don't think it's a P1.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot