ulan@ @ could you please look into this.please feel free to re-assigned back if needed. thanks in advance !

mmohammad@ please assign V8 clusterfuzz issues to the V8 clusterfuzz sheriff (go/v8 shows who is the current sheriff).

Assigning to the current CF sheriff.

ClusterFuzz has detected this issue as fixed in range 429254:429267.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6008705989738496

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  MakeWeak
  v8::internal::GlobalHandles::MakeWeak
  SetWeak
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=428077:428348
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=429254:429267

Minimized Testcase (5.30 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94_klaDWNlxVhKQKhHZU78KcRrU8G60DYALF8Rp9RPR_iWRUt9Q4D72H5K_0G9yVNxo7FHmYCTlXD0QwQajt-deVTlQ_WFRj26WGTcCshy1wzPLDCRpUgw3bBJmoGmmwSr3zhlhW1hiGT2zDEStLG_zR5Wvng?testcase_id=6008705989738496

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

this is the top#2 renderer crash on Mac chrome version 56.0.2906.0 with 54 instances from 48 different client Ids

56.0.2912.0	0.55%	3	
56.0.2911.0	0.91%	5	
56.0.2910.0	1.46%	8	
56.0.2909.0	2.74%	15	
56.0.2908.0	3.11%	17	
56.0.2907.0	4.75%	26	
56.0.2906.0	9.87%	54	
56.0.2905.0	5.85%	32	
56.0.2904.0	3.29%	18	
56.0.2903.0	5.12%	28	
56.0.2901.0	0.37%	2	
56.0.2900.0	0.18%	1	
56.0.2899.0	0.55%	3	
56.0.2897.0	0.55%	3	
56.0.2896.0	0.37%	2	
56.0.2895.0	0.37%	2	
56.0.2891.0	0.55%	3	
56.0.2889.0	0.18%	1	
56.0.2886.0	0.18%	1	
56.0.2885.0	0.18%	1	
55.0.2875.0	0.18%	1	
55.0.2873.4	0.18%	1	
55.0.2871.0	0.18%	1	
55.0.2869.0	0.18%	1	
55.0.2868.0	0.18%	1	
55.0.2867.0	0.18%	1	
55.0.2866.0	0.18%	1	
55.0.2865.0	0.55%	3	
55.0.2860.0	0.37%	2	
55.0.2858.0	0.37%	2	
55.0.2857.0	0.18%	1	
55.0.2853.0	0.55%	3	
55.0.2847.0	0.18%	1	
55.0.2846.4	0.18%	1	
55.0.2845.0	0.37%	2	
55.0.2844.0	0.55%	3	
55.0.2843.0	0.18%	1	
55.0.2842.0	0.18%	1	
55.0.2841.0	0.18%	1	
54.0.2840.87	1.28%	7	
54.0.2840.71	33.64%	184	
54.0.2840.59	2.74%	15	
54.0.2840.50	0.91%	5	
54.0.2840.41	0.18%	1	

Link to the builds:
https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3AGlobalHandles%3A%3AMakeWeak%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#samplereports:5,productversion:1000

Users experienced this crash on the following builds:

Android Dev 56.0.2906.3 -  0.71 CPM, 13 reports, 10 clients (signature [Defective CPU] v8::internal::GlobalHandles::MakeWeak)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

#6: Ignore the [Defective CPU] copy (indicating reports from known-buggy hardware); this is very frequent on not-known-to-be-buggy hardware too (#2 on 2906-Dev, #1 on 2909-Canary). It's also still affecting Mac Canaries.

I don't see it much on Windows (very few reports on 2910) and Linux (no reports at all).

See the CF report in #0 for a detailed stack trace. We crash in:

CHECK_NE(object_, reinterpret_cast<Object*>(kGlobalHandleZapValue));

+CC bindings experts.

No idea about what was going on.

CF detected this issue as fixed.  Do we still need to work on this issue?

I see, in the stacktrace, that Element.animate() is called, but there seems no call to animate() in the minimized test case.  The minimized test case looks complicated.  Where and how it called animate()?

This crash has high impact on Chrome's stability.
Signature: v8::internal::GlobalHandles::MakeWeak.
Channel: dev. Platform: mac.
Labeling  issue 660818  with ReleaseBlock-Dev.


If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This issue looks similar to  Issue 644237 .
Probably it's a dup, I guess.  I'll investigate  Issue 644237 .

Seeing the stacktrace, I think this issue should be a dup of  Issue 644237 .  It's not trivial because the minimized test case is too complicated, but I believe this is a dup.  The minimized test case no longer crashes.

 Issue 667720  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot