Snippet of the error output:
============================

00:31:41.058 25802 worker/0 inspector-protocol/layout-fonts/unicode-range-combining-chars-fallback.html started
00:31:44.514 25802 renderer crash, pid = None, error_line = #CRASHED - renderer
00:31:44.514 25802 killed pid 11280
00:31:46.040 25802 "flock /usr/bin/python /b/build/slave/WebKit_Linux_MSAN/build/src/tools/valgrind/asan/asan_symbolize.py Release/../../" took 1.53s
00:31:46.041 25802 worker/0 inspector-protocol/layout-fonts/unicode-range-combining-chars-fallback.html crashed, (stderr lines):
00:31:46.041 25802   Xlib:  extension "RANDR" missing on display ":9".
00:31:46.041 25802   Xlib:  extension "RANDR" missing on display ":9".
00:31:46.041 25802   ==4==WARNING: MemorySanitizer: use-of-uninitialized-value
00:31:46.041 25802       #0 0x5543b94 in ReadU16 third_party/woff2/src/./buffer.h:106:14
00:31:46.041 25802       #1 0x5543b94 in ReadS16 third_party/woff2/src/./buffer.h:112:0
00:31:46.041 25802       #2 0x5543b94 in ReconstructGlyf third_party/woff2/src/woff2_dec.cc:608:0
00:31:46.042 25802       #3 0x5543b94 in ReconstructFont third_party/woff2/src/woff2_dec.cc:990:0
00:31:46.042 25802       #4 0x5543b94 in ConvertWOFF2ToTTF third_party/woff2/src/woff2_dec.cc:1355:0
00:31:46.042 25802       #5 0x5531ece in ?? third_party/woff2/src/woff2_dec.cc:1331:10
00:31:46.042 25802       #6 0x550ccd0 in ProcessWOFF2 third_party/ots/src/ots.cc:482:8
00:31:46.042 25802       #7 0x550ccd0 in Process third_party/ots/src/ots.cc:896:0
00:31:46.042 25802       #8 0x4a0a211 in sanitize third_party/WebKit/Source/platform/fonts/opentype/OpenTypeSanitizer.cpp:96:15
00:31:46.042 25802       #9 0x49af7f1 in create third_party/WebKit/Source/platform/fonts/FontCustomPlatformData.cpp:91:44
00:31:46.042 25802       #10 0xac85ebf in ensureCustomFontData third_party/WebKit/Source/core/fetch/FontResource.cpp:121:26
00:31:46.042 25802       #11 0xa629f45 in fontLoaded third_party/WebKit/Source/core/css/RemoteFontFaceSource.cpp:87:5
00:31:46.042 25802       #12 0xac869ab in checkNotify third_party/WebKit/Source/core/fetch/FontResource.cpp:178:9
00:31:46.042 25802       #13 0xacd278d in finish third_party/WebKit/Source/core/fetch/Resource.cpp:348:5
00:31:46.042 25802       #14 0xad2629c in didFinishLoading third_party/WebKit/Source/core/fetch/ResourceLoader.cpp:337:5
00:31:46.042 25802       #15 0xe2cf725 in OnCompletedRequest content/child/web_url_loader_impl.cc:757:7
00:31:46.042 25802       #16 0xe239b35 in OnRequestComplete content/child/resource_dispatcher.cc:376:3
00:31:46.042 25802       #17 0xe240c8b in DispatchToMethodImpl<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &), int, ResourceMsg_RequestCompleteData, 0, 1> base/tuple.h:166:3
00:31:46.042 25802       #18 0xe240c8b in DispatchToMethod<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &), int, ResourceMsg_RequestCompleteData> base/tuple.h:173:0
00:31:46.042 25802       #19 0xe240c8b in DispatchToMethod<content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &), void, std::__1::tuple<int, ResourceMsg_RequestCompleteData> > ipc/ipc_message_templates.h:26:0
00:31:46.042 25802       #20 0xe240c8b in Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void, void (content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &)> ipc/ipc_message_templates.h:121:0
00:31:46.042 25802       #21 0xe2308dc in DispatchMessage content/child/resource_dispatcher.cc:507:5
00:31:46.042 25802       #22 0xe22e380 in OnMessageReceived content/child/resource_dispatcher.cc:124:3
00:31:46.042 25802       #23 0xe34f84b in Run<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:159:12
00:31:46.042 25802       #24 0xe34f84b in MakeItSo<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:321:0
00:31:46.042 25802       #25 0xe34f84b in Run base/bind_internal.h:372:0
00:31:46.042 25802       #26 0x11e7d017 in Run base/callback.h:397:12
00:31:46.043 25802       #27 0x11e7d017 in RunTask base/debug/task_annotator.cc:51:0
00:31:46.043 25802       #28 0xe326d2e in ProcessTaskFromWorkQueue components/scheduler/base/task_queue_manager.cc:289:3
00:31:46.043 25802       #29 0xe320f56 in DoWork components/scheduler/base/task_queue_manager.cc:201:13
00:31:46.043 25802       #30 0xe32ae24 in Run<const base::TimeTicks &, const bool &> base/bind_internal.h:181:12
00:31:46.043 25802       #31 0xe32ae24 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> base/bind_internal.h:334:0
00:31:46.043 25802       #32 0xe32ae24 in Run base/bind_internal.h:372:0
00:31:46.043 25802       #33 0x11e7d017 in Run base/callback.h:397:12
00:31:46.043 25802       #34 0x11e7d017 in RunTask base/debug/task_annotator.cc:51:0
00:31:46.043 25802       #35 0x11ee9bb7 in RunTask base/message_loop/message_loop.cc:479:3
00:31:46.043 25802       #36 0x11eeaf47 in DeferOrRunPendingTask base/message_loop/message_loop.cc:488:5
00:31:46.043 25802       #37 0x11eeba17 in DoWork base/message_loop/message_loop.cc:600:13
00:31:46.043 25802       #38 0x11ef74ea in Run base/message_loop/message_pump_default.cc:33:21
00:31:46.043 25802       #39 0x11f7598d in Run base/run_loop.cc:35:3
00:31:46.043 25802       #40 0x11ee71f2 in ?? base/message_loop/message_loop.cc:295:3
00:31:46.043 25802       #41 0xec114fa in RendererMain content/renderer/renderer_main.cc:219:7
00:31:46.043 25802       #42 0xfe1eaf6 in RunZygote content/app/content_main_runner.cc:306:14
00:31:46.043 25802       #43 0xfe2135f in RunNamedProcessTypeMain content/app/content_main_runner.cc:389:12
00:31:46.043 25802       #44 0xfe2444e in Run content/app/content_main_runner.cc:742:12
00:31:46.043 25802       #45 0xfe1d267 in ContentMain content/app/content_main.cc:20:15
00:31:46.043 25802       #46 0x4ab099 in main content/shell/app/shell_main.cc:48:10
00:31:46.043 25802       #47 0x7f92a1c9076c in __libc_start_main /build/eglibc-rrybNj/eglibc-2.15/csu/libc-start.c:226:0
00:31:46.043 25802       #48 0x443638 in _start ??:0

No test expectations to update, since this is specifically a MSan error.

The only CL in the range is https://codereview.chromium.org/1896833002, which in fact fixed another MSan error, and probably just uncovered this one.

Oops, the rest of the snippet:
==============================

00:31:46.043 25802     Uninitialized value was created by a heap allocation
00:31:46.043 25802       #0 0x4aab22 in operator new[](unsigned long) ??:0
00:31:46.044 25802       #1 0x55382b6 in ReconstructGlyf third_party/woff2/src/woff2_dec.cc:447:40
00:31:46.044 25802       #2 0x55382b6 in ReconstructFont third_party/woff2/src/woff2_dec.cc:990:0
00:31:46.044 25802       #3 0x55382b6 in ConvertWOFF2ToTTF third_party/woff2/src/woff2_dec.cc:1355:0
00:31:46.044 25802       #4 0x5531ece in ?? third_party/woff2/src/woff2_dec.cc:1331:10
00:31:46.044 25802       #5 0x550ccd0 in ProcessWOFF2 third_party/ots/src/ots.cc:482:8
00:31:46.044 25802       #6 0x550ccd0 in Process third_party/ots/src/ots.cc:896:0
00:31:46.044 25802       #7 0x4a0a211 in sanitize third_party/WebKit/Source/platform/fonts/opentype/OpenTypeSanitizer.cpp:96:15
00:31:46.044 25802       #8 0x49af7f1 in create third_party/WebKit/Source/platform/fonts/FontCustomPlatformData.cpp:91:44
00:31:46.044 25802       #9 0xac85ebf in ensureCustomFontData third_party/WebKit/Source/core/fetch/FontResource.cpp:121:26
00:31:46.044 25802       #10 0xa629f45 in fontLoaded third_party/WebKit/Source/core/css/RemoteFontFaceSource.cpp:87:5
00:31:46.044 25802       #11 0xac869ab in checkNotify third_party/WebKit/Source/core/fetch/FontResource.cpp:178:9
00:31:46.044 25802       #12 0xacd278d in finish third_party/WebKit/Source/core/fetch/Resource.cpp:348:5
00:31:46.044 25802       #13 0xad2629c in didFinishLoading third_party/WebKit/Source/core/fetch/ResourceLoader.cpp:337:5
00:31:46.044 25802       #14 0xe2cf725 in OnCompletedRequest content/child/web_url_loader_impl.cc:757:7
00:31:46.044 25802       #15 0xe239b35 in OnRequestComplete content/child/resource_dispatcher.cc:376:3
00:31:46.044 25802       #16 0xe240c8b in DispatchToMethodImpl<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &), int, ResourceMsg_RequestCompleteData, 0, 1> base/tuple.h:166:3
00:31:46.044 25802       #17 0xe240c8b in DispatchToMethod<content::ResourceDispatcher *, void (content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &), int, ResourceMsg_RequestCompleteData> base/tuple.h:173:0
00:31:46.044 25802       #18 0xe240c8b in DispatchToMethod<content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &), void, std::__1::tuple<int, ResourceMsg_RequestCompleteData> > ipc/ipc_message_templates.h:26:0
00:31:46.044 25802       #19 0xe240c8b in Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void, void (content::ResourceDispatcher::*)(int, const ResourceMsg_RequestCompleteData &)> ipc/ipc_message_templates.h:121:0
00:31:46.044 25802       #20 0xe2308dc in DispatchMessage content/child/resource_dispatcher.cc:507:5
00:31:46.044 25802       #21 0xe22e380 in OnMessageReceived content/child/resource_dispatcher.cc:124:3
00:31:46.044 25802       #22 0xe34f84b in Run<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:159:12
00:31:46.044 25802       #23 0xe34f84b in MakeItSo<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:321:0
00:31:46.044 25802       #24 0xe34f84b in Run base/bind_internal.h:372:0
00:31:46.044 25802       #25 0x11e7d017 in Run base/callback.h:397:12
00:31:46.045 25802       #26 0x11e7d017 in RunTask base/debug/task_annotator.cc:51:0
00:31:46.045 25802       #27 0xe326d2e in ProcessTaskFromWorkQueue components/scheduler/base/task_queue_manager.cc:289:3
00:31:46.045 25802       #28 0xe320f56 in DoWork components/scheduler/base/task_queue_manager.cc:201:13
00:31:46.045 25802
00:31:46.045 25802   SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/build/slave/WebKit_Linux_MSAN/build/src/out/Release/content_shell+0x5543b94)
00:31:46.045 25802   Exiting
00:31:46.045 25802 [1/1] inspector-protocol/layout-fonts/unicode-range-combining-chars-fallback.html failed unexpectedly (renderer crashed)

The uninitialized value from heap allocation in woff2_dec.cc:447 was introduced recently by https://codereview.chromium.org/1873123002, cc'ing owners.

If I understand correctly, changes to woff2 must go to the Github repo first, and then updated in third_party/, so I'm not going to submit a quick fix.

Owners, please have a look.

+cc sheriffs.

Can I merge this to the same issue reported by ClusterFuzz?
I sent a patch to upstream repository, and it is under a review.

Also, here is a chromium side local patch change.
https://codereview.chromium.org/1895043002/

In third_party/woff2, we allow minor local patches, but it should be listed in README.chromium.

Any updates? The bot is still red. (Sorry, I don't have permission to read the duped bug)

Now the fix is in CQ, https://codereview.chromium.org/1895043002/

I thought when I merged a bug to another, members in the original bug should be added to the another automatically, but Monorail seems not to support it. Le me add you to it manually.

Thanks! Yes, it normally does that, but it seems that in this case it didn't because of the restriction. Seems intentional to me, otherwise you could peek into restricted bugs by creating a new one and then marking it as duplicate! :)