jbriance: I think this may be related to https://chromium.googlesource.com/chromium/src/+/c5f4d7239d10069882d99f20d100992e520126a2.

Looking at the group of testcases associated with this issue, they all appear to be proto types: https://cluster-fuzz.appspot.com/v2/testcases?q=group%3A6462297053855744

Hi rsesek@

Unfortunately, I don't have access to https://cluster-fuzz.appspot.com/v2/testcases?q=group%3A6462297053855744

However, I've already reverted this commit in https://codereview.chromium.org/2618913002/ (because of https://bugs.chromium.org/p/chromium/issues/detail?id=678919)

Ah, sorry about that. Not sure why you don't have access. But this is a sample report.

It looks like all the control flow integrity checks are violated on PB types. If this is reverted, then this should get cleared up automatically.

gen/chrome/common/safe_browsing/download_file_types.pb.h:228:12: runtime error: control flow integrity check for type safe_browsing::DownloadFileType failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/components/metrics/proto/chrome_user_metrics_extension.pb.h:262:12: runtime error: control flow integrity check for type metrics::ChromeUserMetricsExtension failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/components/policy/proto/device_management_backend.pb.h:2511:8: runtime error: control flow integrity check for type enterprise_management::PolicyFetchResponse failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/components/policy/proto/policy_signing_key.pb.h:68:8: runtime error: control flow integrity check for type enterprise_management::PolicySigningKey failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/components/data_reduction_proxy/proto/pageload_metrics.pb.h:109:12: runtime error: control flow integrity check for type data_reduction_proxy::RecordPageloadMetricsRequest failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/components/variations/proto/client_variations.pb.h:67:12: runtime error: control flow integrity check for type variations::ClientVariations failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/components/sync/protocol/model_type_state.pb.h:173:12: runtime error: control flow integrity check for type sync_pb::ModelTypeState failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/components/sync/protocol/model_type_store_schema_descriptor.pb.h:67:12: runtime error: control flow integrity check for type sync_pb::ModelTypeStoreSchemaDescriptor failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/components/omnibox/browser/in_memory_url_index_cache.pb.h:1499:12: runtime error: control flow integrity check for type in_memory_url_index::InMemoryURLIndexCacheItem failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
Error: unrecognized flag --verify-heap
Try --help for options
gen/components/translate/core/browser/proto/translate_ranker_model.pb.h:287:12: runtime error: control flow integrity check for type chrome_intelligence::TranslateRankerModel failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/cld_3/protos/task_spec.pb.h:692:12: runtime error: control flow integrity check for type chrome_lang_id::TaskSpec failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
gen/cld_3/protos/feature_extractor.pb.h:345:12: runtime error: control flow integrity check for type chrome_lang_id::FeatureExtractorDescriptor failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable
<memory cannot be printed>
Received signal 11 SEGV_MAPERR 000000000020
#0 0x7f6ac08c8ef3 base::debug::StackTrace::StackTrace()
#1 0x7f6ac08c8a89 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f6abd148330 <unknown>
#3 0x7f6abe948e90 <unknown>
#4 0x7f6abea0fa2d _ZNKSt11_Tuple_implILm0EJRKiRKSsRKSt6vectorIN5blink23WebCompositionUnderlineESaIS6_EES1_S1_EE7_M_headEv
#5 0x7f6ac32fd850 blink::(anonymous namespace)::shadowDepthOf<>()
#6 0x7f6ac32fd6de blink::TextIteratorAlgorithm<>::initialize()
#7 0x7f6ac3301071 blink::TextIteratorAlgorithm<>::rangeLength()
#8 0x7f6ac32d7751 blink::CompositeEditCommand::moveParagraphs()
#9 0x7f6ac32e53c7 blink::IndentOutdentCommand::outdentParagraph()
#10 0x7f6ac32e4b3d blink::IndentOutdentCommand::outdentRegion()
#11 0x7f6ac5146504 blink::ApplyBlockElementCommand::doApply()
#12 0x7f6ac32d277d blink::CompositeEditCommand::apply()
#13 0x7f6ac31be69b blink::Document::execCommand()
#14 0x7f6ac2f3761e blink::DocumentV8Internal::execCommandMethod()
#15 0x7f6ac2f34eef blink::DocumentV8Internal::execCommandMethodCallback()
#16 0x7f6abeda7b62 v8::internal::FunctionCallbackArguments::Call()
#17 0x7f6abee2629e v8::internal::(anonymous namespace)::HandleApiCallHelper<>()
#18 0x7f6abee25bf1 v8::internal::Builtin_Impl_HandleApiCall()
#19 0x7f6abee25958 v8::internal::Builtin_HandleApiCall()

jbriance@cisco.com - you need to marked as issue owner for access. Do you have a project contributor account ? Also, adding testcase as attachment

Thanks for the info aarya@

I don't think I have a project contributor account: I only have my jbriance@cisco.com google account (with signed CLA), allowing me to submit changes in Chromium.

ClusterFuzz has detected this issue as fixed in range 441922:441945.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5739549205725184

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x000000000000
Crash State:
  Bad-cast to safe_browsing::DownloadFileType from invalid vptr
  blink::intMod
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  
Sanitizer: cfi (CFI)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=441902:441922
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_cfi_chrome&range=441922:441945

Minimized Testcase (0.48 Kb): https://cluster-fuzz.appspot.com/download/AMIfv977ErrhoSvKETmqTOiGhqB65RtzFjyWFPpwZwmgXG9VP2Bg2_zrmC0FDKODaYLxc9B_dU_KnEpNHvBZtYyH5Yq1TIzjd-caiKuExpZ2stxpodYo_KEym7Ldwqg1iv2xn3anOD-CP3MuI-SBdUhBfOg9pX2vfo3Ikg36AKjsOq4NOyIF6Ot-LpZRntvmkgBl0DktiJTLC-vRoQQh9fB8MvYGe7EQcrCi9AKxxg0D9oTzcgnbNXF62tedefUCB8wJqsiEAp7dunV3b7EEESpMjvaQLwffoJDkIaCcK4u4-fDKiwanZ5IyaEwlQPDsRDCLreomBN2FTr-_SANe-6Tg0wec0o2VNIvtaG9bBd2NMgcdiEE4HInqMyhnWmKccqxDdsLBuWjgKdOImBasUDyAy69KWnqc7A?testcase_id=5739549205725184

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

> ClusterFuzz has detected this issue as fixed in range 441922:441945.

Revert is refs/heads/master@{#441937}, so I think it's all clear and issue can be closed.

ClusterFuzz testcase 5739549205725184 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot