reillyg: Could you take a look? It seems like this might be related to https://chromium.googlesource.com/chromium/src/+/627e7f73d47910f4255031de55075e2a04b222f6

Making a local ASan build right now. Will revert my patch if I can't figure this out quickly.

IndexedDBCallbacks is being destroyed on the wrong thread. TSan caught this too: https://build.chromium.org/p/chromium.memory.full/builders/Linux%20TSan%20Tests/builds/2823/steps/content_browsertests%20on%20Ubuntu-12.04/logs/IndexedDBBrowserTest.EmptyBlob

I'm testing a patch to fix it.

Yes, looks like TSAN is crashing on startup on this.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a7233873f6fa93ddf414555f7d60f9baba71cd0e

commit a7233873f6fa93ddf414555f7d60f9baba71cd0e
Author: reillyg <reillyg@chromium.org>
Date: Thu Oct 20 20:33:14 2016

Prevent cross-thread refcounting for thread-unsafe IndexedDBCallbacks.

This object is refcounted but is not thread safe. Transfering ownership
of the first reference (since it is created on the IO thread) to the
callback should prevent issues.

BUG= 657862 

Review-Url: https://chromiumcodereview.appspot.com/2439863002
Cr-Commit-Position: refs/heads/master@{#426583}

[modify] https://crrev.com/a7233873f6fa93ddf414555f7d60f9baba71cd0e/content/browser/indexed_db/indexed_db_callbacks.cc
[modify] https://crrev.com/a7233873f6fa93ddf414555f7d60f9baba71cd0e/content/browser/indexed_db/indexed_db_callbacks.h
[modify] https://crrev.com/a7233873f6fa93ddf414555f7d60f9baba71cd0e/content/browser/indexed_db/indexed_db_database_callbacks.cc
[modify] https://crrev.com/a7233873f6fa93ddf414555f7d60f9baba71cd0e/content/browser/indexed_db/indexed_db_database_callbacks.h
[modify] https://crrev.com/a7233873f6fa93ddf414555f7d60f9baba71cd0e/content/browser/indexed_db/indexed_db_dispatcher_host.cc

ClusterFuzz has detected this issue as fixed in range 426561:426648.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5148907992776704

Fuzzer: jsbell_indexeddb
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6040002bbbe8
Crash State:
  base::debug::TaskAnnotator::RunTask
  base::MessageLoop::RunTask
  base::MessageLoop::DeferOrRunPendingTask
  
Recommended Security Severity: Critical

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=426410:426422
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=426561:426648

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97SIL2XFVqFuiTrBgR69fYTeFyt-hL3plSJgirV-pTylrgtLIbpUESTTRp7lSZE5Oz-_vElhHIDkKV5Mt6lZ_LnWGE61KP3Q_3P8M3LNP_1aldIpC64FjGS_RaYcZCX7lhm-9cIAWo5O_TLAAuWGPIWfkZcD5Kx7GctAFtBeeKrN6TV2bA?testcase_id=5148907992776704


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 657919  has been merged into this issue.

 Issue 657943  has been merged into this issue.

Is this need a merge to M54? If yes, please request a merge to M54.

The change that introduced this bug is only on M-56. I haven't looked at the issued duped against this one but if they are hit on older releases then they aren't related.

I am not allowed to view either of those issues so I have no idea if they are related.

reillyg@, I added you in CC list for both bugs ( Issue 657919 ,  Issue 657943 )

Yes, both bugs are related to this change. No merge is necessary.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot