This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 441524:442831.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6128476513107968

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  cc::CompositorFrameSinkSupport::~CompositorFrameSinkSupport
  content::OffscreenCanvasCompositorFrameSink::~OffscreenCanvasCompositorFrameSink
  mojo::StrongBinding<cc::mojom::MojoCompositorFrameSink>::OnConnectionError
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=438562:438656
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_content_shell_drt&range=441524:442831

Minimized Testcase (0.18 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97ppBy1459hLpzoQ6ABSfD_yxRfq6ji6wVI4yUZFHn8iD7z2yMb8DEDx3KSma5DJ_89NFCDTTikouVTZTdetdXjacHJmCOqPLm2NieC-ngnEyQAx2cB7l-rZsHsnTl44kGmgU6IXv_hj7PSkwkBdsVNQhGc4w?testcase_id=6128476513107968
<canvas id="c"><script>
var can = document.getElementById('c');
can.width = can.height = "900px";
var ctx = can.transferControlToOffscreen().getContext("2d");
ctx.commit();
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot