This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Range https://chromium.googlesource.com/v8/v8/+log/d0987fac044ba150e4757f24de73c41c2d8c6cc6..e0e1556bc5d784dc661d6ceb09cd165e9031e461?pretty=fuller according to CF

The v8 changes are just innocent refactorings. However, I do see there was a suspicious chromium commit. Assigning to @haraken.

commit	01cb51d26b17923ed2b5c3b59566f0fc9aed74ae	
author	haraken <haraken@chromium.org>	Mon Aug 22 11:44:26 2016
committer	Commit bot <commit-bot@chromium.org>	Mon Aug 22 11:46:07 2016
Stop calling blink::shutdown

RenderThreadImpl::Shutdown has been trying to shut down Blink and V8 gracefully,
but the graceful shutdown has caused tons of use-after-free bugs
(and many engineers has spent lots of time fixing ordering issues around the shutdown).

As discussed in blink-dev@ (https://groups.google.com/a/chromium.org/d/topic/blink-dev/kk4VX0xRB7I/discussion)
and platform-architecture-dev@ (https://groups.google.com/a/chromium.org/d/topic/platform-architecture-dev/Zc12k91NTFk/discussion),
there is no reason we have to shut down the renderer gracefully.
It's just causing use-after-free bugs and wasting performance.
Hence, this CL stops calling blink::shutdown, which had been
shutting down *some things* in Blink and V8 gracefully.
(Remember that blink::shutdown hadn't been shutting down everything;
a lot of objects in Blink and V8 had already been left as is without getting destructed.)

Ideally we should just call ProcessDied() at an earlier stage of
RenderThreadImpl::Shutdown(), but I'd like to defer the change to a separate CL.

BUG=639244

Review-Url: https://codereview.chromium.org/2249353002
Cr-Commit-Position: refs/heads/master@{#413430}

ClusterFuzz has detected this issue as fixed in range 416466:416534.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5911334778830848

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61500000c600
Crash State:
  blink::V8GCController::gcEpilogue
  v8::internal::Heap::PerformGarbageCollection
  v8::internal::Heap::CollectGarbage
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=413421:413430
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=416466:416534

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94_oqvKY_YIn0QNn04mF46fCuKHgNqre_VCUfi6psbgS7SHAw5rohITn9tWe_N70XJbELUtpfZW9QKb8mp5gozFS0cyO27DxgugJDakwjkJBv1csn5Isk6qz81x-sRFh1NAaI76kol8jT16dEni0UwmrT9_HoaGpqMp0xfaT4CKi_SfVKw?testcase_id=5911334778830848


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot