This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

jfernandez@, looks like your CL is the culprit. Could you please take a look?

The result is a list of CLs that change the crashed files. 

Author: jfernandez
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/45a34a1a8f382bcaa36e8d1c58575f34f2832237
Time: Mon Oct 10 21:36:11 2016
Lines 501 of file LayoutGrid.cpp which potentially caused crash are changed in this cl (frame #2, "blink::LayoutGrid::layoutBlock").
Minimum distance from crash line to modified line: 0. (file: LayoutGrid.cpp, crashed on: 498, modified: 498).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/738e26e1286554cb9a63610bce2b77da5a912eb3

commit 738e26e1286554cb9a63610bce2b77da5a912eb3
Author: jfernandez <jfernandez@igalia.com>
Date: Mon Oct 17 12:49:58 2016

[css-grid] Avoid storing pointers to orthogonal grid items

We defined a Vector of LayoutBox pointers to the orthogonal grid items.
This vector has been used mainly to clear the override sizes when the
grid layout logic is executed several times for the same Layout Tree.

The problem, detected in the test cases attached in the bug report, is
that those pointers may point to invalid memory regions. This lead to
heap-use-after-free crashes which are potential security breaches.

This patch removes the Vector so we iterate over the children got
from the current Layout Tree structure at the time the layout logic is
executed. This is a less efficient approach, but definitively safer
because we avoid accessing pointers to invalid memory regions.

BUG= 655632 

Review-Url: https://codereview.chromium.org/2411333007
Cr-Commit-Position: refs/heads/master@{#425665}

[add] https://crrev.com/738e26e1286554cb9a63610bce2b77da5a912eb3/third_party/WebKit/LayoutTests/fast/css-grid-layout/setting-node-properties-to-null-during-layout-should-not-crash-expected.txt
[add] https://crrev.com/738e26e1286554cb9a63610bce2b77da5a912eb3/third_party/WebKit/LayoutTests/fast/css-grid-layout/setting-node-properties-to-null-during-layout-should-not-crash.html
[modify] https://crrev.com/738e26e1286554cb9a63610bce2b77da5a912eb3/third_party/WebKit/Source/core/layout/LayoutGrid.cpp
[modify] https://crrev.com/738e26e1286554cb9a63610bce2b77da5a912eb3/third_party/WebKit/Source/core/layout/LayoutGrid.h

This issue should be FIXED now.

ClusterFuzz has detected this issue as fixed in range 425658:425693.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5958206096670720

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free READ 7
Crash Address: 0x611000291d80
Crash State:
  blink::LayoutGrid::layoutBlock
  blink::LayoutBlock::layout
  blink::FrameView::layoutOrthogonalWritingModeRoots
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=424153:424757
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=425658:425693

Minimized Testcase (1.89 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94pmWyp8dWIaOiNI5nPZGlhYkXWNafcyR8FJiFTHhdnBtd6uuVA8-VaVdcl3SJfxxwFCOod9B9jzLxDw16NWbN661IAV4oPMVZJ5tWtAvOdXYvvRM46513Yo_4kSj-oexalj58Z8kWqsl_jSpjPgiBJHbRCEw?testcase_id=5958206096670720

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M55 (branch: 2883)

Please merge this change to M55 branch 2883 ASAP latest before 12:00 PM PT on Tuesday (10/25/16) so we can pick it up for this week beta release. Thank you.

For some reason git rover failed to me when trying to merge the change.

Push failed with exit code 128.
All attempts to push to pending ref failed.
Failed to push. If this persists, please file a bug.
Error: Command 'cl land --bypass-hooks' failed: Command '['git', 'cl', 'land', '--bypass-hooks']' returned non-zero exit status 1

+ dimu@, awhalley@, could anyone of you please help  jfernandez@ with merge.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Removing merge labels, this is a trunk-only regression.

Caused by 45a34a1a8f382bcaa36e8d1c58575f34f2832237\
commit 45a34a1a8f382bcaa36e8d1c58575f34f2832237 was:
  initially in 56.0.2887.0
No merges found. If this seems wrong, be sure that you did:
  git fetch origin && gclient sync --with_branch_heads

Fixed by 738e26e1286554cb9a63610bce2b77da5a912eb3
commit 738e26e1286554cb9a63610bce2b77da5a912eb3 was:
  initially in 56.0.2894.0

inferno: Why did clusterfuzz think this regression was in 55?

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot