This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Can you a PTAL or assign this to someone who can? Thank you.

I don't think it's a regression, could this be caused by a recent roll in libfuzzer?
https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer/+log/4d737af..2d19afd

The code does not look unusual. ccing usual suspects for parser stuff, and kcc for a libfuzzer explanation.

newer libFuzzer might have found this bug, so the regression range sounds bogus.
But the bug report itself looks legitimate

I think this is caused by ctor initializer for CompactHTMLToken::m_selfClosing missing. I don't have a corp machine to upload CL, but this isn't a security bug as we are checking for Token::End type in the AND expr.

Lowering to P2 for now.

Thanks for the explanation. Clearing security flags, since this wouldn't result in a usable information leak.

If this isn't security bug, Is it fine to remove the Blocker label?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/22726ac8cf9ec16985fd3103d1e1c7f2c45b2b25

commit 22726ac8cf9ec16985fd3103d1e1c7f2c45b2b25
Author: csharrison <csharrison@chromium.org>
Date: Wed Jan 04 07:45:23 2017

Invert a && in HTMLTreeBuilderSimulator

This avoids an uninitialized value use for testing the selfClosing bit
of CompactHTMLToken, which is undefined for non start/end tags.

BUG= 675376 

Review-Url: https://codereview.chromium.org/2613513002
Cr-Commit-Position: refs/heads/master@{#441333}

[modify] https://crrev.com/22726ac8cf9ec16985fd3103d1e1c7f2c45b2b25/third_party/WebKit/Source/core/html/parser/HTMLTreeBuilderSimulator.cpp

ClusterFuzz has detected this issue as fixed in range 441323:441347.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5376618999840768

Fuzzer: libfuzzer_renderer_tree_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::HTMLTreeBuilderSimulator::simulate
  blink::BackgroundHTMLParser::pumpTokenizer
  base::internal::RunMixin<base::Callback<void
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=439337:439343
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=441323:441347

Minimized Testcase (0.09 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv954YXbiAjx-XB6CorHqHD6SbaosIOLaF69RxJspcXkQv198kny1kMhI43KqB0xQfVcIIXxTBPdsyCQZ6aZUVVmNCOCl5uIo8HXh6OYBFlzGjsAzXA85FQM8APxCBes062lZeRHmAedt4AGwP5dTesJKIT1ZTg?testcase_id=5376618999840768
[{"e":"thead"},{"c":[{"t":"*�!!c*(�203685720357203685\u0001d�\u0000"}],"e":"button"}]


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5376618999840768 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.