This is a use-after-poison while getting an IndexedDBClient from an execution context. Assigning to v8 component based on there having been a roll in the regression range, and no likely Chromium CL candidates.

 Issue 651199  has been merged into this issue.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug is reported as M55 Beta blocker.Please try to resolve this before M55 branch on Oct 6th,2016 so it has enough baking time in Dev.

I don't think this is related to V8. CC'ing binding folks.

We had a similar bug come in this morning, and now this makes a bit more sense.

The CL that caused the regression is likely the one that enables GC for DedicatedWorkers: https://chromium.googlesource.com/chromium/src/+/d1aef67937aa7bcb5fb79a18fbf2759de21a3025

Any takers to own this bug?

A friendly reminder that M55 Beta launch is coming soon! Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.

ClusterFuzz has detected this issue as fixed in range 422899:423265.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5121722175193088

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x7e840dd98a18
Crash State:
  blink::IndexedDBClient::from
  blink::IDBFactory::openInternal
  blink::IDBFactory::open
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=421437:421473
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=422899:423265

Minimized Testcase (0.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ZG_DkiIyNe9BfBELeY71RIWf_18T_wL4pOhYIik-X67MFjTKQLF-NHbJQP5T5mxNHOKWWlN4dntiwq56kYq2FUGlhcrJa0B6mtscW0tQ-fcgVoZIQPLmchLzcUsT1BQUzrqo_8_4aa7X1Gvt8a_5EnOewXQ?testcase_id=5121722175193088

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot