eae@, could you please help to triage this?

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

None of the changes in the regression range look relevant. Requesting another bisect run.

Did a manual bisect which points to 61e34ff7dd4ac48b8c4275eb3f541ebfb8a50266 as the culprit.

commit 61e34ff7dd4ac48b8c4275eb3f541ebfb8a50266
Author: japhet <japhet@chromium.org>
Date:   Fri May 6 15:17:26 2016 -0700

    Simplifying finishing a load on Resource
    
    Have a single method to be called for success (Resource::finish) or failure
    (Resource::error) that take all the relevant parameters.
    
    BUG=
    
    Review-Url: https://codereview.chromium.org/1928823002
    Cr-Commit-Position: refs/heads/master@{#392177}

japhet: are you the correct owner for this bug?

I don't immediately see how my patch would've caused that use-after-free, but I guess it's possible. This patch is currently 2nd on my todo list, I hope to get to it tomorrow.

 Issue 613914  has been merged into this issue.

Yep, the regression is in 61e34ff7dd4ac48b8c4275eb3f541ebfb8a50266. Patch up at https://codereview.chromium.org/2009103002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cbab5f331081a48a4a43a5104b80e5880bf874b9

commit cbab5f331081a48a4a43a5104b80e5880bf874b9
Author: japhet <japhet@chromium.org>
Date: Wed May 25 22:05:12 2016

Ensure observers are notified when an image fails to decode.

BUG= 610990 
TEST=http/tests/images/restyle-decode-error.html

Review-Url: https://codereview.chromium.org/2009103002
Cr-Commit-Position: refs/heads/master@{#396000}

[add] https://crrev.com/cbab5f331081a48a4a43a5104b80e5880bf874b9/third_party/WebKit/LayoutTests/http/tests/images/restyle-decode-error-expected.html
[add] https://crrev.com/cbab5f331081a48a4a43a5104b80e5880bf874b9/third_party/WebKit/LayoutTests/http/tests/images/restyle-decode-error.html
[modify] https://crrev.com/cbab5f331081a48a4a43a5104b80e5880bf874b9/third_party/WebKit/Source/core/fetch/ImageResource.cpp

It looks like, when LayoutImage::imageChanged runs the following block:

if (isGeneratedContent() && isHTMLImageElement(node()) && m_imageResource>errorOccurred())  {
    toHTMLImageElement(node())->ensureFallbackForGeneratedContent();
    return;
}

...this LayoutImage* can (and will always?) be deleted when ensureFallbackForGeneratedContent() returns. When imageChanged() is called in response to an ImageResourceObserver callback, the stack unwinds gracefully. However, if observers aren't correctly notified, as was the case in this bug, imageChanged() might be called via styleDidChange(), which is *not* resilient to the LayoutImage* being deleted inside.

ensureFallbackForGeneratedContent() is only called when ImageResource::errorOccurred() is true, and observers *should* be notified (and imageChanged called via those notifications) immediately after errorOccurred() becomes true. So I'm not sure it's worth defending styleDidChange() against this failure mode, since it appears to be very specific to the ImageResource having an error but not telling its clients, which is intrinsically bad.

Your change meets the bar and is auto-approved for M52 (branch: 2743)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d2634566be6ed8b068e1ff5414525627a8adb7fc

commit d2634566be6ed8b068e1ff5414525627a8adb7fc
Author: Nate Chapin <japhet@chromium.org>
Date: Fri May 27 22:00:30 2016

Ensure observers are notified when an image fails to decode.

BUG= 610990 
TEST=http/tests/images/restyle-decode-error.html

Review-Url: https://codereview.chromium.org/2009103002
Cr-Commit-Position: refs/heads/master@{#396000}
(cherry picked from commit cbab5f331081a48a4a43a5104b80e5880bf874b9)

Review URL: https://codereview.chromium.org/2014333004 .

Cr-Commit-Position: refs/branch-heads/2743@{#110}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[add] https://crrev.com/d2634566be6ed8b068e1ff5414525627a8adb7fc/third_party/WebKit/LayoutTests/http/tests/images/restyle-decode-error-expected.html
[add] https://crrev.com/d2634566be6ed8b068e1ff5414525627a8adb7fc/third_party/WebKit/LayoutTests/http/tests/images/restyle-decode-error.html
[modify] https://crrev.com/d2634566be6ed8b068e1ff5414525627a8adb7fc/third_party/WebKit/Source/core/fetch/ImageResource.cpp

ClusterFuzz has detected this issue as fixed in range 395936:396053.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4854517505458176

Fuzzer: inferno_layout_test_fuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61100027b7d0
Crash State:
  blink::LayoutImage::styleDidChange
  blink::LayoutObject::setStyle
  blink::Element::recalcOwnStyle
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=392043:392265
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=395936:396053

Minimized Testcase (0.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95TBRpXU5sJgBEdE1GrP12v-ikGk4f7D-Yi0gFezPB8ly6dyhlvoD4CPoQtQMO8GWkBOPQwJ3cm39Ah5isRa5VMFpUF263IvaZoFPmpa9nrWjZd3Tbz5Zdsssrkw3oCYHT0rG-24wlNkiGaILmXt3-RlqHY3Q

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot