Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5525981922328576

Fuzzer: v8_builtins_generator
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[0]->IsString() && args[1]->IsString() && args[2]->IsBoolean() in runtime_cu
  extensions::RuntimeCustomBindings::OpenChannelToExtension
  _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS0_15Runnab
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=392503:392534

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95FnSJ5hSMRlE-rgdS9UdBaQ8bdXRuEIfMvFnOKD_rr9XrqEx2Nv1X1CqMObd8r7MUe3f2Y0pokUzdUpZCdd0ZCGBS8R9vCqQSDoX5UU2Jtmv1CUigNA0hpSv4qcnqAoM3JtaPS_0zCFRcUQk2neNVIjLDsxw?testcase_id=5525981922328576
<script>
var v3 = {};
Object.prototype.__defineGetter__(1, function() { 
return v3;
})
Object.prototype.__defineSetter__(1, function() { 
    this[0] = 2147483647;
});
 v38 = chrome.runtime.connect(); 
</script>


Filer: tjbecker

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Currently its impacting the Beta # 52.0.2743.41.
Chromium CL :
https://chromium.googlesource.com/chromium/src/+log/f8907f402e6141d88721bb4b4307c8fe8f283c5e..a3f365cf9003c65d140c44b7d3a9db545ad7f567?pretty=fuller

Possible suspect from the above CL:
Suspect : https://codereview.chromium.org/1960903002
rdevlin.cronin@ : Could you please take a look into this if its related to your change, else help assinging to an appropriate owner for the same.

Thanks in Advance..!

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5778731197267968

Fuzzer: v8_builtins_generator
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[0]->IsString() && args[1]->IsString() && args[2]->IsBoolean() in runtime_cu
  extensions::RuntimeCustomBindings::OpenChannelToExtension
  _ZN4base8internal7InvokerINS0_9BindStateIMN10extensions21RuntimeCustomBindingsEF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=392503:392534

Minimized Testcase (0.22 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96UEgCYmt28YyXaJtadLEePxTsai84sYMkaPcTuS8w-Rl_XcY4PfeotQBy82r10cksCD-xIDsTlsbZuhSU-Fl_7CjI9lIpywvEB5ZxnNg-ggm2u50zajNQrSbHE9pF7nP_iWF8ilWQO0fwR7-GV1__hcPdDLQ?testcase_id=5778731197267968
<script>
var v6 = {};
Object.prototype.__defineGetter__(1, function() { 
return v6;
})
Object.prototype.__defineSetter__(1, function() { 
this[0] = Math.floor(0xFFFFFFFF / 4) + 1;
})
 v37 = chrome.runtime.connect(); 
</script>


Filer: mmohammad

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

This issue is Pri-1 but has already been moved once. Lowering the priority and moving to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This basically happens because the script retroactively changes the values of arguments so that the version we validate isn't the version that we pass to C++.  There's no good defense against this, and I don't think it's worth changing our strictness in C++ nor slowing down all the time to handle.  This isn't a security risk, since it triggers a CHECK that's designed to find out when a renderer is doing something really really crazy - which is exactly what's happening here.

I'm inclined to mark this as WontFix.  If anyone feels differently, lemme know.

ClusterFuzz has detected this issue as fixed in range 417712:417796.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5525981922328576

Fuzzer: v8_builtins_generator
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[0]->IsString() && args[1]->IsString() && args[2]->IsBoolean() in runtime_cu
  extensions::RuntimeCustomBindings::OpenChannelToExtension
  _ZN4base8internal7InvokerINS_13IndexSequenceIJLm0EEEENS0_9BindStateINS0_15Runnab
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=392503:392534
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=417712:417796

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95FnSJ5hSMRlE-rgdS9UdBaQ8bdXRuEIfMvFnOKD_rr9XrqEx2Nv1X1CqMObd8r7MUe3f2Y0pokUzdUpZCdd0ZCGBS8R9vCqQSDoX5UU2Jtmv1CUigNA0hpSv4qcnqAoM3JtaPS_0zCFRcUQk2neNVIjLDsxw?testcase_id=5525981922328576
<script>
var v3 = {};
Object.prototype.__defineGetter__(1, function() { 
return v3;
})
Object.prototype.__defineSetter__(1, function() { 
    this[0] = 2147483647;
});
 v38 = chrome.runtime.connect(); 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 417712:417796.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5778731197267968

Fuzzer: v8_builtins_generator
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[0]->IsString() && args[1]->IsString() && args[2]->IsBoolean() in runtime_cu
  extensions::RuntimeCustomBindings::OpenChannelToExtension
  _ZN4base8internal7InvokerINS0_9BindStateIMN10extensions21RuntimeCustomBindingsEF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=392503:392534
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=417712:417796

Minimized Testcase (0.22 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96UEgCYmt28YyXaJtadLEePxTsai84sYMkaPcTuS8w-Rl_XcY4PfeotQBy82r10cksCD-xIDsTlsbZuhSU-Fl_7CjI9lIpywvEB5ZxnNg-ggm2u50zajNQrSbHE9pF7nP_iWF8ilWQO0fwR7-GV1__hcPdDLQ?testcase_id=5778731197267968
<script>
var v6 = {};
Object.prototype.__defineGetter__(1, function() { 
return v6;
})
Object.prototype.__defineSetter__(1, function() { 
this[0] = Math.floor(0xFFFFFFFF / 4) + 1;
})
 v37 = chrome.runtime.connect(); 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 418377:418438.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6639938347204608

Fuzzer: v8_builtins_generator
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[0]->IsString() && args[1]->IsString() && args[2]->IsBoolean() in runtime_cu
  extensions::RuntimeCustomBindings::OpenChannelToExtension
  extensions::ObjectBackedNativeHandler::Router
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=392426:392525
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=418377:418438

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95b0ESuHrF64-5FbvDQXfDN6E1Xr7Aw6FS7eNgPiHLMQZtYG3MsmgTOIOr7D5K71YEVc9NDdbe7vT_DhFq6C9e6Rvt5Vmi7CetWNwYf2iANVvr3XSd9dQYVOflZszHyCgK1AtBFls1yB1y9bCnvg-DiWVBhRA?testcase_id=6639938347204608
<script>
var v1 = {};
Object.prototype.__defineGetter__(1, function() { 
return v1;
})
Object.prototype.__defineSetter__(1, function() { 
    this[0] = 2147483647;
});
 v46 = chrome.runtime.connect(); 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot