Looks like a really simple fix, but I haven't confirmed yet. I'll give it a shot once minimization finishes or punt it to a better owner if it turns out to be more complicated.

The fix I had in mind seems to work. Still just waiting on the minimizer to finish for a layout test.

ClusterFuzz has detected this issue as fixed in range 401557:401580.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5833274719207424

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::Font::canShapeWordByWord
  blink::CachingWordShaper::width
  blink::Font::width
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=399234:399406
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=401557:401580

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94O30sH_NzgvXAyZSgn73ellIu680FbrLl2xosf5pJzML65u_-ROXiqIxTpAlp7mGWOehd52MNTAmq6goszes8iN7u1xgPVrK-g3enUs2PbAzsdVyOY2gEJWzi5wrg-hCGmyQq9tialM_Wza-Dyu70tPfM8FwYV6p0-KXZdC5Pz_XQKoCY?testcase_id=5833274719207424


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 401557:401580.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5833274719207424

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::Font::canShapeWordByWord
  blink::CachingWordShaper::width
  blink::Font::width
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=399234:399406
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=401557:401580

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94O30sH_NzgvXAyZSgn73ellIu680FbrLl2xosf5pJzML65u_-ROXiqIxTpAlp7mGWOehd52MNTAmq6goszes8iN7u1xgPVrK-g3enUs2PbAzsdVyOY2gEJWzi5wrg-hCGmyQq9tialM_Wza-Dyu70tPfM8FwYV6p0-KXZdC5Pz_XQKoCY?testcase_id=5833274719207424


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Fixed by yosin in https://chromium.googlesource.com/chromium/src/+/2217e8c563575ead5c9450408529340ec93ccef7

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot