Looks like https://bugs.chromium.org/p/chromium/issues/detail?id=610337 still reproducing.

ClusterFuzz has detected this issue as fixed in range 398496:398573.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6649947634270208

Fuzzer: ipc_fuzzer_gen
Job Type: linux_asan_chrome_ipc
Platform Id: linux

Crash Type: Heap-buffer-overflow READ 8
Crash Address: 0x61500002faf0
Crash State:
  epoll_add
  event_add
  base::MessagePumpLibevent::WatchFileDescriptor
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_ipc&range=398351:398496
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_ipc&range=398496:398573

Minimized Testcase (240.23 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94wCfMbaQ3tYBg_e9eBk7x2YHRC1MpbPZg_dwX7C0veLfbyyqAecABu20i0rMcTg9AaMzm8XVNarA7p0lAPoY8e_wQzzBHnkLWyXK5pFlY1QW3zPEQOT_J7h12jSQiRwhCAB4mnc6Yt9cTt7aU1cYNgmX0DrzHk1Y1liFb5ls5LlNzJCdI

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f0a6234831ce289c4b16327d2418e5ff3c623d54

commit f0a6234831ce289c4b16327d2418e5ff3c623d54
Author: rockot <rockot@chromium.org>
Date: Fri Jun 17 22:14:55 2016

[mojo-edk] Prevent watching an invalid FD on early broker pipe closure

If a parent process closes the broker OS pipe to a child before
that child can request a NodeChannel FD from it, the child will
silently ignore this failure and try to bring up a NodeChannel over
an invalid FD.

This means adding FileDescriptorWatchers and ultimately calling
epoll_add on the invalid descriptor, hence the linked bug.

This CL fixes that by terminating child-parent connection early
when the Broker fails to acquire a valid NodeChannel FD.

BUG= 620758 
R=jam@chromium.org

Review-Url: https://codereview.chromium.org/2072233005
Cr-Commit-Position: refs/heads/master@{#400523}

[modify] https://crrev.com/f0a6234831ce289c4b16327d2418e5ff3c623d54/mojo/edk/system/node_controller.cc

Fix already in M53, removing ReleaseBlock-Beta.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.