This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I'm putting this in the v8 queue because it the stack looks related to v8 GC, but not really sure. Help triaging would be appreciated.

Looks like  issue 676850 /676560 and seems related to implementation  issue 468240 .

mlippautz@, would you mind taking a look as per #5?

Thanks, I will have a look asap.

This looks like a bad-cast on a nullptr, which UBSan finds as undefined behavior, before it would crash afterwards. Severity seems to high for this.

I am able to reproduce issue 676700 with the CF test case. Will fix this one and check if they are related.

I couldn't reproduce the exact stack trace but I am landing a fix to issue 676700 in https://codereview.chromium.org/2610853002/ which was flushed out by this repro.

I will wait for CF to try to reproduce again.

ClusterFuzz has detected this issue as fixed in range 441358:441432.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5362035471941632

Fuzzer: therealholden_worker
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x14108eebb328
Crash State:
  Bad-cast to blink::ScriptWrappable from invalid vptr
  blink::DOMWrapperWorld::markWrappersInAllWorlds
  blink::TraceTrait<blink::DOMArrayBuffer>::traceMarkedWrapper
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=439820:440032
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=441358:441432

Minimized Testcase (3.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv945En6W3rGMlthWRN5l33D12nfFyP-esvE1--6nojQThfvRkcX038eaCciZDV8debYGl6pbhDbWGP3lN-irRVp-PZ9NQ6yDxnWTKZ3Oo2An2rlyCzaObNzeP_Kj_RX_71h6Nf1tBVjqTFxY9zOw9312PpWxni3VB1xPJs3DYdXlsBanfkzt74NtUP5w_pnT8Obp3YpMqC0er4qlJklUC7ypiBHmuO4tugnM-TrrYQheHAoFXhC4OP1Yn4KdWWMR61nAEhNXW5UEQFr1-VQsQownlw3Z-eKhAIF8nF2xkO_tCX4INcBSWmx2-Mk9azzGFRqirBhM8NR88_LAK0AmN4ePPYut8kWlgTfDiKQXyYzas-68Uqk?testcase_id=5362035471941632

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5362035471941632 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot