Hi Christian, Emil,

Could one of you please help triage this use-after-free security bug?!  It's not obvious what change has triggered this scenario.

Looks like the LayoutTable is being accessed after being destroyed.  Check out the thread stack that freed that memory address in the detailed report.

Any help finding an appropriate owner would be appreciated.
Thanks!

Speculatively adding wangxianzhu@ as b2a470747585456b0c545551d61a7b3f7baffda9 ( issue 663208 ) is in the regression range.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/307f8cadc888653def2bfdc1a01978b411e718b0

commit 307f8cadc888653def2bfdc1a01978b411e718b0
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Wed Jan 04 05:09:24 2017

Reference table via the cell for collapsed border display item client

BUG= 676974 

Review-Url: https://codereview.chromium.org/2616463003
Cr-Commit-Position: refs/heads/master@{#441322}

[modify] https://crrev.com/307f8cadc888653def2bfdc1a01978b411e718b0/third_party/WebKit/Source/core/layout/LayoutTableCell.cpp
[modify] https://crrev.com/307f8cadc888653def2bfdc1a01978b411e718b0/third_party/WebKit/Source/core/layout/LayoutTableCell.h

ClusterFuzz has detected this issue as fixed in range 441240:441358.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6370921276506112

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Heap-use-after-free READ 16
Crash Address: 0xcc220c28
Crash State:
  blink::LayoutObject::visualRect
  blink::LayoutTableCell::CollapsedBorderValues::visualRect
  blink::visualRectForDisplayItem
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=431896:432166
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=441240:441358

Minimized Testcase (1.34 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96MSi0DMxNc_hf60_kpH4nykaCk47-tzYJKUW11dx6uVMSvAaF1TfeFSQVxdIH2AVFnEIUtij2d156oNf2faDY4jNrk50PyVmxwEyJAljoLZSIBSbMDmdWjVoXqKEIp9WOqJbvBxPe_J7u4lX2YZINtPxUOuboXyiTH70Adh62pBQZ-s0rzsJMKImSMpP6Rp7lBIlUW3Yjg75xhhwbqn4gi7duVHG59hjOKaHbR15g5IRPY7t2bwW30iTDrAnpoN0jyRp4doAy93T3B5IVzkaArYGyz2Hldw_zEn1-kEwdaXtWT4o6tHgPwIGriCewOvVkCwFZH4rSQjO7MxiuJxdhITa1MW6uLo_Oofea9Y4QJ_4VvXRM?testcase_id=6370921276506112

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M56. Please go ahead and merge the CL manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f5c957fd22e7505e961b255a49cf8d1c122a47cb

commit f5c957fd22e7505e961b255a49cf8d1c122a47cb
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Thu Jan 05 17:12:26 2017

Reference table via the cell for collapsed border display item client

BUG= 676974 
NOTRY=true
NOPRESUBMIT=true
TBR=wangxianzhu@chromium.org

Review-Url: https://codereview.chromium.org/2616463003
Cr-Original-Commit-Position: refs/heads/master@{#441322}
Review-Url: https://codereview.chromium.org/2615613006
Cr-Commit-Position: refs/branch-heads/2924@{#679}
Cr-Branched-From: 3a87aecc31cd1ffe751dd72c04e5a96a1fc8108a-refs/heads/master@{#433059}

[modify] https://crrev.com/f5c957fd22e7505e961b255a49cf8d1c122a47cb/third_party/WebKit/Source/core/layout/LayoutTableCell.cpp
[modify] https://crrev.com/f5c957fd22e7505e961b255a49cf8d1c122a47cb/third_party/WebKit/Source/core/layout/LayoutTableCell.h

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot