This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Assigning to sigbjornf@opera.com since it crashes in MockWebSpeechRecognizer

alexclarke@ -- Please help triage this. I can't pin point the culprit CL.

Sorry CC'ing sigbjornf@opera.com since it crashes in MockWebSpeechRecognizer

We should fix this, but these objects are not exposed in production builds. Touching a dead WebTestDelegate, by initial & cursory looks.

https://codereview.chromium.org/2734713002/ has the changes needed; I'll get this reviewed & landed, but dropping some labels right away.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dd42ff761a2b4725279bb659de9e5205567875a4

commit dd42ff761a2b4725279bb659de9e5205567875a4
Author: sigbjornf <sigbjornf@opera.com>
Date: Mon Mar 06 06:34:46 2017

WebViewTestProxyBase: clear out main test delegate upon destruction.

The first BlinkTestRunner created is set as the main delegate of test
interfaces along with being set as the delegate of the web view test
proxy object.

When that view test proxy goes away, unregister the main delegate at
the same time as it can no longer be safely accessed.

R=tkent
BUG= 698166 

Review-Url: https://codereview.chromium.org/2734713002
Cr-Commit-Position: refs/heads/master@{#454834}

[modify] https://crrev.com/dd42ff761a2b4725279bb659de9e5205567875a4/content/shell/test_runner/mock_web_speech_recognizer.cc
[modify] https://crrev.com/dd42ff761a2b4725279bb659de9e5205567875a4/content/shell/test_runner/web_view_test_proxy.cc

ClusterFuzz has detected this issue as fixed in range 454833:454837.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6068516538286080

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x61500015e0a8
Crash State:
  test_runner::MockWebSpeechRecognizer::PostRunTaskFromQueue
  base::debug::TaskAnnotator::RunTask
  blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=436306:436323
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=454833:454837

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv9578oDzYhcKedgqwu7bXRP6HAHAGdOA_URDAQVdjgsXMsVveGV7eyjapnOMnvyX7WsixyuFsJaxRHzzQ3EoorIvBD_VqsBsE3-6IgYDtSrJW6uFEHUZKPiD6GDSW1ArFM-Uh2eSrTk7OUEWQ3ojKg9p3muCpA?testcase_id=6068516538286080


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot