tzik@, looks like your recent CL may be the culprit: https://codereview.chromium.org/1886453003

Could you please take a look?

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M53 beta launch is next week.Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix before 6:00 PM PST, Friday (07/22/16). Thank you.

Removing RB-B since it's not a new crash.
https://crash.corp.google.com/browse?q=stable_signature%20CONTAINS%20%27base%3A%3APendingTask%3A%3APendingTask%27

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

tzik: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M53 Stable launch is coming soon.Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix asap so it gets chance to bake in beta before stable promotion. Thank you.

Hi tzik@. Though it might not be new, it's still a security issue - could you possibly prioritise taking a look?  Cheers!

Hmm... The crash looks so confusing to me.
E.g. on http://crash/4e995dfc00000000, std::deque<>::push_back calls to base::PendingTask::PendingTask at 07FEEE5DCF50h.
The disasm of the point is `48 89 5c 24 08`, which is `mov qword ptr [rsp+8h],rbx`.
It doesn't make sense to me to read `rbx` at the beginning of a function.

Isn't this a compiler bug or caused by a broken binary?

M53 Stable launch is coming VERY soon.Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix asap so it gets chance to bake in beta before stable promotion later this month. Thank you.

Chris, Sebastien, could this be a syzyasan bug, can you please take a look.

chrisha: Uh oh! This issue still open and hasn't been updated in the last 30 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please try to resolve this ASAP as we're very close to M53 Stable promotion. Please request a merge to M53 branch 2785 once change is landed/baked/verified in Canary. Thank you.

A friendly reminder that M53 Stable is launching VERY soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP (before 5:00 PM PT, Tuesday) so we can take it for this week LAST Beta release for Desktop. Thank you!

Note: Merge has to happen by Friday, August 26th, 5:00 PM PST in order to make into the desktop Stable final build cut. 

Was traveling last week and just seeing this now. Am traveling again this week, and Seb is OOO as well.

tzik: Why were you looking at that minidump on go/crash? This is an ASAN bug and has a repro as well as stack trace information available on cluster-fuzz.

aarya: I'm confused regarding the stack trace provided by CF. It looks like we're starting in ReportCrashWithProtobufAndMemoryRanges, before entering message loop machinery in chrome_child? This to me looks like something has gone wrong much sooner, either in Crashpad or Kasko.

chrisha: Because the failure didn't repro on my machine, and the minidump in the CF report didn't work for me on MSVC. It didn't show meaningful call stack, and the symbol server probably doesn't know the binary.

Removing ReleaseBlock after discussion with inferno.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fd76103704c54eec019f2e7cb56aab8c71681aa3

commit fd76103704c54eec019f2e7cb56aab8c71681aa3
Author: sebmarchand <sebmarchand@chromium.org>
Date: Wed Aug 31 22:34:01 2016

Roll Syzygy deps to v0.8.20.6

BUG= 629006 ,  630372 

Review-Url: https://codereview.chromium.org/2298273003
Cr-Commit-Position: refs/heads/master@{#415785}

[modify] https://crrev.com/fd76103704c54eec019f2e7cb56aab8c71681aa3/DEPS

Anything more needed for this bug or can it be marked fixed?

ClusterFuzz cannot reproduce it, let's mark as Fixed.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot