dmichael@, do you mind to take a look or suggest another owner?

Since:
"
Uninitialized value was created by a heap deallocation
    #0 0x4a5422 in operator delete(void*)
    #1 0x11d4d90a in content::RenderViewImpl::~RenderViewImpl() content/renderer/render_view_impl.cc:845:3
<...>
"

it may be a use-after-free. Setting High severity for now.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5257559878926336

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue
  base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base
  base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=385166:385175

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97eaO0cYnBQCIKxRsFzhQi7DmF8d96_NLfBvf9iezthQn-jwjF7qyx1JdDlxeRptZMcVs30EBssTdKsFwH-dJgH2zVe45HYv0WC9NGi6YLlti_pUriuhPR9joiHHp6M2C4vnJeDxJqPckd8WKF898ylvL4xEw
<script>
 var recognition = new webkitSpeechRecognition();

    recognition.start();
    recognition.stop();
;</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

I'm sorry, I no longer work on Chromium. I also don't know anything about this part of the code. You'll need to find another owner.

Thanks dmichael@.

I kicked off "Fixed" redo job since CF marked it as a flaky testcase.

From the repro in https://cluster-fuzz.appspot.com/testcase?key=6447138229190656, looks like a MockWebSpeechRecognizer bug in content shell. Not a security vulnerability.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5257559878926336

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue
  base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base
  base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=392547:392552

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94WiUWshJOn7sLYjWQ5-leaDKcuWiezQzaMlGqfCDe1zDu7EpFiVDq0PpcFY1ZxWHf_ryJYHMGa5xOn5k-t7Ay1h3LhBtCh39HNiLV4Zj3mUPAGAYYFgnobGVMhvXUzmJOLvFSjt1V3_DY6aYzFyQkkdRV1UQ


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot