This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

No obvious suspect CL in range, assigning to tkent who has been in some of the files recently, please re-assign as appropriate.  Thanks!

meade@ updated make_css_property_names.py recently.

**** Bulk edit -  please ignore if not applicable ****

This bug  is reported as M55 Beta blocker and we're getting closer to M55 Beta promotion. 
Please plan to have fix ready and merged to M55 branch (2883) by 5:00 PM PT, Monday(10/10) so it has enough baking time in Dev before Beta promotion. Thank you.

I have been staring at this code and haven't been able to figure out why this is happening. It definitely isn't caused by my CL (I added an unrelated function querying CSSPropertyIDs). I also haven't been able to repro it on my workstation.

Tim: You know stuff about the CSSParser; can you see anything I missed?

Abhishek: The error says the origin of the use-of-uninitialized-value is invalid. How likely is this likely to be a tooling error?

SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/libFuzzer/src/FuzzerTracePC.cpp:156:3 in fuzzer::TracePC::AddValueForStrcmp(void*, char const*, char const*, unsigned long)
  ORIGIN: invalid (0). Might be a bug in MemorySanitizer origin tracking.
    This could still be a bug in your code, too!

Kostya, Mike - any comments on c#7 MSAN error.

This might also get fixed by https://codereview.chromium.org/2424893002/, so lets wait a day before CF reverifies.

This might be a bug in the way we build libfuzzer+msan, looking.
There was another similar bug which I could not reproduce so far: 
https://bugs.chromium.org/p/chromium/issues/detail?id=655545

Did someone manage to reproduce any of these locally? 

Here again I can't reproduce locally. 
Can someone help me with reproducing? 

I tried this: 
gn gen out/libfuzzer-msan '--args=use_libfuzzer=true is_msan=true enable_nacl=false is_debug=false use_prebuilt_instrumented_libraries=true' --check
ninja -C  out/libfuzzer-msan renderer_tree_fuzzer
./out/libfuzzer-msan/renderer_tree_fuzzer ~/Downloads/fuzz-3-renderer_tree_fuzzer  -runs=10000

mbarbella@ who might be able to help with repro

This is what I get:

$ gn gen '--args=use_libfuzzer=true is_msan=true enable_nacl=false is_debug=false' --check out/libfuzzer
$ ninja -C out/libfuzzer renderer_tree_fuzzer

$ ./out/libfuzzer/renderer_tree_fuzzer ~/Downloads/fuzz-3-renderer_tree_fuzzer
INFO: Seed: 3236001142
INFO: Loaded 0 modules (0 guards): 
./out/libfuzzer/renderer_tree_fuzzer: Running 1 inputs 1 time(s) each.
Running: /usr/local/google/home/aizatsky/Downloads/fuzz-3-renderer_tree_fuzzer
Uninitialized bytes in __interceptor_strchr at offset 3 inside [0x701000002ba2, 4)
==14710==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7fd2a6c09950  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x25950)
    #1 0x7fd2a6c0a01d  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x2601d)
    #2 0x9f110b1  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x9f110b1)
    #3 0x9f11cad  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x9f11cad)
    #4 0x9f12c1d  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x9f12c1d)
    #5 0x9f121f6  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x9f121f6)
    #6 0x15ed017f  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x15ed017f)
    #7 0x4d063b  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x4d063b)
    #8 0x4b2fb9  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x4b2fb9)
    #9 0x4fc93b  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x4fc93b)
    #10 0x4fd14c  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x4fd14c)
    #11 0x4d1915  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x4d1915)
    #12 0x4d9385  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x4d9385)
    #13 0x50c9f0  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x50c9f0)
    #14 0x7fd2a0c40f44  (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #15 0x43d4c8  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x43d4c8)

  Uninitialized value was created by a heap allocation
    #0 0x4629c6  (/usr/local/google/home/aizatsky/src/chrome/src/out/libfuzzer/renderer_tree_fuzzer+0x4629c6)
    #1 0x7fd2a6c32610  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)

SUMMARY: MemorySanitizer: use-of-uninitialized-value (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x25950) 
Exiting

Mike, you need to add use_prebuilt_instrumented_libraries=true
the libfuzzer+chrome page does not mention it (but msan_chrome does)

heh, this might be related to the internal b/32319828

**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

kcc: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

**** Bulk edit -  please ignore if not applicable ****

A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you!

Also due to Thanksgiving holidays in US, please make sure all fixes are ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16.

Looks like a tools issue - closing as WontFix; if there's a real issue with such a simple test case we'll get another fuzzing hit I'm sure.

ClusterFuzz has detected this issue as fixed in range 436556:436579.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4632206280753152

Fuzzer: libfuzzer_renderer_tree_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::CSSPropertyNamesHash::findPropertyImpl
  blink::CSSPropertyID blink::unresolvedCSSPropertyID<unsigned char>
  blink::unresolvedCSSPropertyID
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=423366:423427
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=436556:436579

Minimized Testcase (0.01 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97ClfAC10ec7tVulkqf_GM6xEL1JIz2CtvabSnIIfNtu6wlD8PfSH-c1Hpak7ggCCrnri-0JUfIHbWS4msr4-8avL0FX0pGj0u9-kURjssvV_i3REbgSjQGmr8FwPAf_LYYzhH4E8CMQPXdnFq997nEeGZKqw?testcase_id=4632206280753152
[{"e":"audio"}]


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot