The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2217e8c563575ead5c9450408529340ec93ccef7

commit 2217e8c563575ead5c9450408529340ec93ccef7
Author: yosin <yosin@chromium.org>
Date: Thu Jun 23 09:41:03 2016

Make default constructor of Font class to initialize all member variables

This patch makes default constructor of |Font| class to initialize
|m_canShapeWordByWord| and |m_shapeWordByWordComputed| member variables to
make MSAN happy.

This patch is a preparation of re-landing http://crrev.com/2082893005, which
is revered by uninitialized member variables of |Font|.

BUG= 618237 ,  622566 
TEST=n/a; MSAN will check this

Review-Url: https://codereview.chromium.org/2091633002
Cr-Commit-Position: refs/heads/master@{#401567}

[modify] https://crrev.com/2217e8c563575ead5c9450408529340ec93ccef7/third_party/WebKit/Source/platform/fonts/Font.cpp

Note, the CL in comment #1 fixed MSAN to complain about uninitialized members by initializing them.

But style()->font() having an initialized value, not inherited value, indicates something is wrong. This bug is to track what's really wrong rather than suppressing MSAN complaints.

The revert mentioned in #1:
https://codereview.chromium.org/2084913005

Copying test failure before it's expired below.

Dashboard:
https://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=editing%2Fselection%2Fmodify_move%2Fmove_backward_line_import_crash.html&testType=webkit_tests

First failed build:
https://build.chromium.org/p/chromium.webkit/builders/WebKit%20Linux%20MSAN/builds/10718

Failed test:
editing/selection/modify_move/move_backward_line_import_crash.html

Copy from the test failure:
STDERR: ==4==WARNING: MemorySanitizer: use-of-uninitialized-value
STDERR:     #0 0x103f123e in canShapeWordByWord third_party/WebKit/Source/platform/fonts/Font.cpp:450:9
STDERR:     #1 0x104711bb in CachingWordShapeIterator third_party/WebKit/Source/platform/fonts/shaping/CachingWordShapeIterator.h:55:33
STDERR:     #2 0x104711bb in width third_party/WebKit/Source/platform/fonts/shaping/CachingWordShaper.cpp:44:0
STDERR:     #3 0x103eebea in floatWidthForComplexText third_party/WebKit/Source/platform/fonts/Font.cpp:733:26
STDERR:     #4 0x103eebea in width third_party/WebKit/Source/platform/fonts/Font.cpp:237:0
STDERR:     #5 0x86d5777 in computeTextHeight third_party/WebKit/Source/core/layout/LayoutMenuList.cpp:178:26
STDERR:     #6 0x86d5777 in updateOptionsHeightWidth third_party/WebKit/Source/core/layout/LayoutMenuList.cpp:168:0
STDERR:     #7 0x86d9ed6 in computeIntrinsicLogicalWidths third_party/WebKit/Source/core/layout/LayoutMenuList.cpp:283:5
STDERR:     #8 0x84564ed in computePreferredLogicalWidths third_party/WebKit/Source/core/layout/LayoutBlock.cpp:1253:9
STDERR:     #9 0x851982a in minPreferredLogicalWidth third_party/WebKit/Source/core/layout/LayoutBox.cpp:1029:39
STDERR:     #10 0x850ebe4 in computeLogicalWidthUsing third_party/WebKit/Source/core/layout/LayoutBox.cpp:2325:25
STDERR:     #11 0x8533f01 in computeLogicalWidth third_party/WebKit/Source/core/layout/LayoutBox.cpp:2229:37
STDERR:     #12 0x8532075 in updateLogicalWidth third_party/WebKit/Source/core/layout/LayoutBox.cpp:2136:5
STDERR:     #13 0x843e4f8 in updateLogicalWidthAndColumnWidth third_party/WebKit/Source/core/layout/LayoutBlock.cpp:397:5
STDERR:     #14 0x85bc69e in layoutBlock third_party/WebKit/Source/core/layout/LayoutFlexibleBox.cpp:332:9
STDERR:     #15 0x843e0c1 in layout third_party/WebKit/Source/core/layout/LayoutBlock.cpp:366:5
STDERR:     #16 0x84e8e6e in layoutIfNeeded third_party/WebKit/Source/core/layout/LayoutObject.h:900:13
STDERR:     #17 0x84e8e6e in layoutInlineChildren third_party/WebKit/Source/core/layout/LayoutBlockFlowLine.cpp:1600:0
STDERR:     #18 0x8470fcb in layoutBlockFlow third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:483:9
STDERR:     #19 0x846ecf2 in layoutBlock third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:390:16
STDERR:     #20 0x843e0c1 in layout third_party/WebKit/Source/core/layout/LayoutBlock.cpp:366:5
STDERR:     #21 0x84763d4 in positionAndLayoutOnceIfNeeded third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:668:11
STDERR:     #22 0x84774ee in layoutBlockChild third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:718:30
STDERR:     #23 0x848c248 in layoutBlockChildren third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1203:9
STDERR:     #24 0x8471055 in layoutBlockFlow third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:485:9
STDERR:     #25 0x846ecf2 in layoutBlock third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:390:16
STDERR:     #26 0x843e0c1 in layout third_party/WebKit/Source/core/layout/LayoutBlock.cpp:366:5
STDERR:     #27 0x84763d4 in positionAndLayoutOnceIfNeeded third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:668:11
STDERR:     #28 0x84774ee in layoutBlockChild third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:718:30
STDERR:     #29 0x848c248 in layoutBlockChildren third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1203:9
STDERR:     #30 0x8471055 in layoutBlockFlow third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:485:9
STDERR:     #31 0x846ecf2 in layoutBlock third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:390:16
STDERR:     #32 0x843e0c1 in layout third_party/WebKit/Source/core/layout/LayoutBlock.cpp:366:5
STDERR:     #33 0x84763d4 in positionAndLayoutOnceIfNeeded third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:668:11
STDERR:     #34 0x84774ee in layoutBlockChild third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:718:30
STDERR:     #35 0x848c248 in layoutBlockChildren third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1203:9
STDERR:     #36 0x8471055 in layoutBlockFlow third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:485:9
STDERR:     #37 0x846ecf2 in layoutBlock third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:390:16
STDERR:     #38 0x843e0c1 in layout third_party/WebKit/Source/core/layout/LayoutBlock.cpp:366:5
STDERR:     #39 0x889562e in layoutContent third_party/WebKit/Source/core/layout/LayoutView.cpp:185:22
STDERR:     #40 0x889562e in layout third_party/WebKit/Source/core/layout/LayoutView.cpp:285:0
STDERR:     #41 0x7882a6b in layoutFromRootObject third_party/WebKit/Source/core/frame/FrameView.cpp:830:10
STDERR:     #42 0x7882a6b in performLayout third_party/WebKit/Source/core/frame/FrameView.cpp:899:0
STDERR:     #43 0x7879dda in layout third_party/WebKit/Source/core/frame/FrameView.cpp:1052:9
STDERR:     #44 0x5df1d7d in updateStyleAndLayout third_party/WebKit/Source/core/dom/Document.cpp:1884:20
STDERR:     #45 0x5df195b in updateStyleAndLayoutIgnorePendingStylesheets third_party/WebKit/Source/core/dom/Document.cpp:1971:5
STDERR:     #46 0x748bc25 in canonicalPosition<blink::PositionTemplate<EditingStrategy> > third_party/WebKit/Source/core/editing/VisibleUnits.cpp:106:26
STDERR:     #47 0x748bc25 in canonicalPositionOf third_party/WebKit/Source/core/editing/VisibleUnits.cpp:162:0
STDERR:     #48 0x74744ec in create third_party/WebKit/Source/core/editing/VisiblePosition.cpp:63:53
STDERR:     #49 0x7475611 in createVisiblePosition third_party/WebKit/Source/core/editing/VisiblePosition.cpp:115:12
STDERR:     #50 0x7475611 in createVisiblePosition third_party/WebKit/Source/core/editing/VisiblePosition.cpp:110:0
STDERR:     #51 0x746ee0c in visibleStart third_party/WebKit/Source/core/editing/VisibleSelection.h:81:69
STDERR:     #52 0x746ee0c in modify third_party/WebKit/Source/core/editing/SelectionModifier.cpp:538:0
STDERR:     #53 0x74184c8 in modify third_party/WebKit/Source/core/editing/FrameSelection.cpp:625:45
STDERR:     #54 0x503208f in modifyMethod ./out/Release/gen/blink/bindings/core/v8/V8Selection.cpp:555:11
STDERR:     #55 0x503208f in modifyMethodCallback ./out/Release/gen/blink/bindings/core/v8/V8Selection.cpp:561:0
STDERR:     #56 0x2214c7a in Call v8/src/api-arguments.cc:19:3

STDERR:   Uninitialized value was created by a heap allocation
STDERR:     #0 0x467f42 in malloc ??:0
STDERR:     #1 0x8a4300a in partitionAllocGenericFlags third_party/WebKit/Source/wtf/allocator/PartitionAlloc.h:736:20
STDERR:     #2 0x8a4300a in partitionAllocGeneric third_party/WebKit/Source/wtf/allocator/PartitionAlloc.h:763:0
STDERR:     #3 0x8a4300a in fastMalloc third_party/WebKit/Source/wtf/allocator/Partitions.h:110:0
STDERR:     #4 0x8a4300a in operator new third_party/WebKit/Source/wtf/RefCounted.h:153:0
STDERR:     #5 0x8a4300a in create third_party/WebKit/Source/core/style/StyleInheritedData.h:39:0
STDERR:     #6 0x8a4300a in init third_party/WebKit/Source/core/style/DataRef.h:50:0
STDERR:     #7 0x8a4300a in ComputedStyle third_party/WebKit/Source/core/style/ComputedStyle.cpp:147:0
STDERR:     #8 0x8a4300a in createInitialStyle third_party/WebKit/Source/core/style/ComputedStyle.cpp:90:0
STDERR:     #9 0x8a40dbb in mutableInitialStyle third_party/WebKit/Source/core/style/ComputedStyle.h:354:9
STDERR:     #10 0x8a40dbb in initialStyle third_party/WebKit/Source/core/style/ComputedStyle.h:362:0
STDERR:     #11 0x8a40dbb in ComputedStyle third_party/WebKit/Source/core/style/ComputedStyle.cpp:113:0
STDERR:     #12 0x8a40dbb in create third_party/WebKit/Source/core/style/ComputedStyle.cpp:85:0
STDERR:     #13 0x732db3a in styleForDocument third_party/WebKit/Source/core/css/resolver/StyleResolver.cpp:679:43
STDERR:     #14 0x5df6c42 in attach third_party/WebKit/Source/core/dom/Document.cpp:2110:28
STDERR:     #15 0x78fd169 in installNewDocument third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp:363:17
STDERR:     #16 0x7d9f5eb in createWriterFor third_party/WebKit/Source/core/loader/DocumentLoader.cpp:664:51
STDERR:     #17 0x7d9f0c1 in ensureWriter third_party/WebKit/Source/core/loader/DocumentLoader.cpp:460:16
STDERR:     #18 0x7d98a52 in commitData third_party/WebKit/Source/core/loader/DocumentLoader.cpp:468:5
STDERR:     #19 0x7d982e9 in finishedLoading third_party/WebKit/Source/core/loader/DocumentLoader.cpp:290:13
STDERR:     #20 0x7da0c37 in maybeLoadEmpty third_party/WebKit/Source/core/loader/DocumentLoader.cpp:614:5
STDERR:     #21 0x7da0f72 in startLoadingMainResource third_party/WebKit/Source/core/loader/DocumentLoader.cpp:625:9
STDERR:     #22 0x7dfeec6 in init third_party/WebKit/Source/core/loader/FrameLoader.cpp:205:34
STDERR:     #23 0x10b4be5b in init third_party/WebKit/Source/core/frame/LocalFrame.h:232:14
STDERR:     #24 0x10b4be5b in initializeCoreFrame third_party/WebKit/Source/web/WebLocalFrameImpl.cpp:1501:0
STDERR:     #25 0x92e2872 in CreateMainFrame content/renderer/render_frame_impl.cc:919:27

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5095963891073024

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::Font::canShapeWordByWord
  blink::CachingWordShaper::width
  blink::Font::width
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=399234:399406

Minimized Testcase (1.03 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94CbrTkr9nHWl6bBjzYlDu03inNJaanFqG-_qWebVzW8SlF64hAgu7kpe0AJGQPIU3UkgiPH0QCn-uxcdbmpRtUdsdAyJXiwJI2DPkQC360YbjmEHGmw1cXX5s78QWALWAicXxS3uKYaq5wcNiGqK6GtftNHA?testcase_id=5095963891073024
<script>
function start() {
        o31=window.getSelection();
        o53=document.createRange();
        o59=(new DOMParser()).parseFromString('','text/html');
        o61=o59.all[1];
        o65=document.createElement('form');
        o59.documentElement.appendChild(o65);
        o86=document.createElement('style');
        o31.addRange(o53);
        o130=document.createElement('keygen');
        o65.appendChild(o130);
        o167=document.createElement('style');
        o200=document.createElement('style');
        o201=document.createTextNode(" key1{");
        o200.appendChild(o201);
        o65.appendChild(o200);
        o61.appendChild(o167);
        document.replaceChild(o59.documentElement,document.documentElement);
        o324=document.createElement('style');
        o167.appendChild(o324);
        o31.modify('extend', 'right','line');
        o398=document.createElement('link');
        o398.setAttributeNS('','rel','import');
        o200.appendChild(o86);
        o324.appendChild(o398);
}
</script>
<body onload=start()>


Filer: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 401557:401580.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5095963891073024

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::Font::canShapeWordByWord
  blink::CachingWordShaper::width
  blink::Font::width
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=399234:399406
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=401557:401580

Minimized Testcase (1.03 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94CbrTkr9nHWl6bBjzYlDu03inNJaanFqG-_qWebVzW8SlF64hAgu7kpe0AJGQPIU3UkgiPH0QCn-uxcdbmpRtUdsdAyJXiwJI2DPkQC360YbjmEHGmw1cXX5s78QWALWAicXxS3uKYaq5wcNiGqK6GtftNHA?testcase_id=5095963891073024
<script>
function start() {
        o31=window.getSelection();
        o53=document.createRange();
        o59=(new DOMParser()).parseFromString('','text/html');
        o61=o59.all[1];
        o65=document.createElement('form');
        o59.documentElement.appendChild(o65);
        o86=document.createElement('style');
        o31.addRange(o53);
        o130=document.createElement('keygen');
        o65.appendChild(o130);
        o167=document.createElement('style');
        o200=document.createElement('style');
        o201=document.createTextNode(" key1{");
        o200.appendChild(o201);
        o65.appendChild(o200);
        o61.appendChild(o167);
        document.replaceChild(o59.documentElement,document.documentElement);
        o324=document.createElement('style');
        o167.appendChild(o324);
        o31.modify('extend', 'right','line');
        o398=document.createElement('link');
        o398.setAttributeNS('','rel','import');
        o200.appendChild(o86);
        o324.appendChild(o398);
}
</script>
<body onload=start()>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This is a split from a clusterfuzz bug, you don't have to verify/close this one, thank you.

Mark this as WontFix. Thought this could be a repro for issue 595078, but this is specific to <option> element, and the behavior was correct; i.e., yosin@'s fix in comment #1 is correct.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c1b06954220f96a85ce764396cf5cc5e24a9fba4

commit c1b06954220f96a85ce764396cf5cc5e24a9fba4
Author: Yoshifumi Inoue <yosin@chromium.org>
Date: Fri Jul 15 01:20:32 2016

Make default constructor of Font class to initialize all member variables

This patch makes default constructor of |Font| class to initialize
|m_canShapeWordByWord| and |m_shapeWordByWordComputed| member variables to
make MSAN happy.

This patch is a preparation of re-landing http://crrev.com/2082893005, which
is revered by uninitialized member variables of |Font|.

BUG= 618237 ,  622566 
TEST=n/a; MSAN will check this

Review-Url: https://codereview.chromium.org/2091633002
Cr-Commit-Position: refs/heads/master@{#401567}
(cherry picked from commit 2217e8c563575ead5c9450408529340ec93ccef7)

Review URL: https://codereview.chromium.org/2151143002 .

Cr-Commit-Position: refs/branch-heads/2743@{#640}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[modify] https://crrev.com/c1b06954220f96a85ce764396cf5cc5e24a9fba4/third_party/WebKit/Source/platform/fonts/Font.cpp

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.