Author: marja@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/9a5984409f05752318c259fc1c69f0dba0107c07
Time: Tue Jun 04 16:39:12 2013
The CL last changed line 172 of file app_bindings.cc, which is stack frame 5.

@marja: Could you please look into this issue.

@mdempsky: This issue was earlier closed, hence cc'ing you - 602222

Thank you.

I'm ooo, reassigning.

I don't see anything that would guard against the native handler being invalidated

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c1872b891a46dda7bd25463374cbd305d343ecfc

commit c1872b891a46dda7bd25463374cbd305d343ecfc
Author: rdevlin.cronin <rdevlin.cronin@chromium.org>
Date: Mon May 09 18:22:45 2016

[Extensions] Check is_valid() in app bindings

The AppBindings object can potentially receive an IPC message after it's
been invalided. Check before entering the v8 context.

BUG= 610224 

Review-Url: https://codereview.chromium.org/1960173002
Cr-Commit-Position: refs/heads/master@{#392367}

[modify] https://crrev.com/c1872b891a46dda7bd25463374cbd305d343ecfc/chrome/renderer/extensions/app_bindings.cc

ClusterFuzz has detected this issue as fixed in range 392310:392347.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5975727870050304

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::Context::Enter
  extensions::AppBindings::OnAppInstallStateResponse
  bool IPC::MessageT<ExtensionMsg_GetAppInstallStateResponse_Meta, std::__1::tuple
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172434:172624
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=392310:392347

Minimized Testcase (19.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Rr5fKZGJUqn3XjnYt5LHia6_W9nJ83XRvAP8UKlM9ZFdy484acUSqNxrcvh8quZ9pz9N369koHGPVZiZIE5QWtFlBBmO7x5MYIT2Gn4vVz7ueuUZ9fJISsCCg4ayXhz_H94EFRNOMDhQ0fueTuUbWFmYQfOnH0k-xvE4iXg2fhCMcEQc

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M51 (branch: 2704)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2264cb9287ce50bfea812e80325debcb1474e4d2

commit 2264cb9287ce50bfea812e80325debcb1474e4d2
Author: Devlin Cronin <rdevlin.cronin@chromium.org>
Date: Tue May 10 23:43:57 2016

[Extensions] Check is_valid() in app bindings

The AppBindings object can potentially receive an IPC message after it's
been invalided. Check before entering the v8 context.

BUG= 610224 

Review-Url: https://codereview.chromium.org/1960173002
Cr-Commit-Position: refs/heads/master@{#392367}
(cherry picked from commit c1872b891a46dda7bd25463374cbd305d343ecfc)

Review URL: https://codereview.chromium.org/1970593002 .

Cr-Commit-Position: refs/branch-heads/2704@{#487}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[modify] https://crrev.com/2264cb9287ce50bfea812e80325debcb1474e4d2/chrome/renderer/extensions/app_bindings.cc

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot