This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hi mlippautz, it looks like this use-after-poison is happening during V8 garbage collection. Do you mind taking a look / retriaging? Thanks!

Might be the crahser we observe in RegisterExternalReference which always gets passed the same value. Presumably we try to register the poison value.

Also repros on Linux

$ out/Debug/content_shell --single-process --no-sandbox  --run-layout-test  ~/Downloads/fuzz-29.html 2>&1 | tools/valgrind/asan/asan_symbolize.py 

Fix is in flight. We didn't trace all fields in oilpan and so we had a stale pointer on the next GC that traced from V8 (which didn't miss the field).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eb7ae5b79faeb3b4c79866b419ca8e3e7879d29d

commit eb7ae5b79faeb3b4c79866b419ca8e3e7879d29d
Author: mlippautz <mlippautz@chromium.org>
Date: Mon Nov 28 17:26:41 2016

Properly trace OffscreenCanvas

BUG= chromium:668848 

Review-Url: https://codereview.chromium.org/2539433002
Cr-Commit-Position: refs/heads/master@{#434674}

[modify] https://crrev.com/eb7ae5b79faeb3b4c79866b419ca8e3e7879d29d/third_party/WebKit/Source/core/offscreencanvas/OffscreenCanvas.cpp

Turns out this was not a bug in wrapper tracing but rather in an Oilpan usage introduced in 8372014fc16a378fc7452164db9b3b89fbd62909.

+xidachen: fyi, wrong tracing could've resulted in Oilpan dropping event listeners.

kbr: Maybe interesting since this bug could result in event listeners being lost (even without wrapper tracing).

ClusterFuzz has detected this issue as fixed in range 434636:434658.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4696891016347648

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Use-after-poison READ 4
Crash Address: 0x7e9232a91294
Crash State:
  blink::EventListenerIterator::nextListener
  blink::EventTarget::traceWrappers
  blink::ScriptWrappableVisitor::AdvanceTracing
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=434476:434480
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=434636:434658

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv969tNjSREvwH9Cbrchsmyhz2sqaHfeqRRnbESukPPf6QP-IF3dj7G2X2VCluQl5hbkDIkzDAyCYnEjNjD3JpZ_V-CiHZkgqB6S-dD6q_fZlvTdf-OOysd7MY-Fw5e8N80MNGoaZYYdGP9b4TCxVQqo5z4nyEA?testcase_id=4696891016347648
<script>
    canvas = new OffscreenCanvas(10, 10);
    canvas.addEventListener("webglcontextlost", function() {
    });
gc()
gc()
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot