sammc@, could you please take a look?

Your CL is suspected as a culprit:

Author: sammc
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/f458adf68e9e3a394a3903ca8d52a3b508d87a61
Time: Fri May 06 00:30:27 2016
Lines 110 of file permission_service_impl.cc which potentially caused crash are changed in this cl (frame #1, "content::PermissionServiceImpl::OnConnectionError").
Minimum distance from crash line to modified line: 0. (file: permission_service_impl.cc, crashed on: 110, modified: 110).

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6675651645407232

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  content::PermissionServiceImpl::CancelPendingOperations
  content::PermissionServiceImpl::OnConnectionError
  mojo::internal::Connector::HandleError
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=391941:391970

Minimized Testcase (22.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95qeNecWN799GmXJhviNapLQhA3WCgA38MdKC2_BQo5sMJlGds-LcKAbVPwFCWhykYk4CQjbDB8y6ABb_B_kBol3ADz-UmohetSFvFiv0xd1cWhwYDx-gv_ELnASDZuqFfH8C3fD03ogGGzFAXfMljXtxOg2KKBvQGrfd6ik7O_5Dp-evc

Filer: mmoroz

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The second crash looks similar to the first one.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d8514447d66180f24e25713aea4445f80a9f4d6e

commit d8514447d66180f24e25713aea4445f80a9f4d6e
Author: sammc <sammc@chromium.org>
Date: Thu May 12 07:54:05 2016

Run queued tasks before shutting down after running a layout test.

Currently, when a layout test run finishes, the BlinkTestController
falls out of scope, which triggers shutdown of the RenderProcessHostImpl
used by the test. However, RenderProcessHostImpl posts a task to delete
itself, which is currently never run; this results in a
RenderProcessHostImpl outliving the UI MessageLoop and its
BrowserContext, inviting use-after-frees. This CL fixes this issue by
running queued tasks before shutting down the main runner.

BUG= 610989 

Review-Url: https://codereview.chromium.org/1975593003
Cr-Commit-Position: refs/heads/master@{#393204}

[modify] https://crrev.com/d8514447d66180f24e25713aea4445f80a9f4d6e/content/shell/browser/layout_test/layout_test_browser_main.cc

ClusterFuzz has detected this issue as fixed in range 393199:393222.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6405346175746048

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60e000080880
Crash State:
  content::PermissionServiceImpl::CancelPendingOperations
  content::PermissionServiceImpl::OnConnectionError
  mojo::internal::Router::OnConnectionError
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=391931:391971
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=393199:393222

Minimized Testcase (22.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv951JSTdCj10hQXTE9PAgocWOBhOc5_fXxQrFOCvX4taISLP6sXObf0rRZOHIDyuaiYgQfLKMfyLfNeJU2QuI_Z0sNrmdKrlKnu9LaabbKlaIthQmEjtIt39R4YN0TD8U3EimFYsqM_ylWUEDN3bCu1rKD9AKzTctZwvAQt_6Mc85ajtBEI

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 393199:393215.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6675651645407232

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  content::PermissionServiceImpl::CancelPendingOperations
  content::PermissionServiceImpl::OnConnectionError
  mojo::internal::Connector::HandleError
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=391941:391970
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=393199:393215

Minimized Testcase (22.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95qeNecWN799GmXJhviNapLQhA3WCgA38MdKC2_BQo5sMJlGds-LcKAbVPwFCWhykYk4CQjbDB8y6ABb_B_kBol3ADz-UmohetSFvFiv0xd1cWhwYDx-gv_ELnASDZuqFfH8C3fD03ogGGzFAXfMljXtxOg2KKBvQGrfd6ik7O_5Dp-evc

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot