Guessing https://codereview.chromium.org/2713413002 based on regression range. dcheng, please take a look or re-assign as appropriate.  Thanks!

This is tripping the DCHECKs in PropertyRegistration::registerProperty. I don't think this should have been affected by my CL, as the generated code for V8CSS.cpp shouldn't have been affected by my patch (as these interfaces aren't exposed across origins).

From what I can tell, the assumptions that inherits and syntax must be set are incorrect: https://cs.chromium.org/chromium/src/out/Debug/gen/blink/bindings/core/v8/V8PropertyDescriptor.cpp?rcl=8a995469daa431c2c7905dbdf08859c5cc4c34aa&l=38

Note: This issue is only reachable with experimental web platform features enabled. CSS.registerProperty() isn't exposed to stable yet.

The initial DCHECKs in PropertyRegistration::registerProperty() seem to be satisfied. V8PropertyDescriptor::toImpl() ensures name is set and PropertyDescriptor's constructor sets syntax and inherits to default values.

Uable to repro with unminimised test case, with and without experimental flag, using Linux ASAN. Needs confirmation on Mac.

Reassigning to meade as timloh no longer works on style code.

meade: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Oops, I forgot about this bug.  I pulled out the reduced testcase off clusterfuzz and opened it with normal debug Content Shell on my macbook pro. Turns out that you don't need asan to reproduce.

Here's the full stacktrace according to lldb:

* thread #29: tid = 0x985bc, 0x000000011c7fc268 libblink_core.dylib`blink::CSSInterpolationType::~CSSInterpolationType(this=0x00002ccf9bad7810) + 8 at CSSInterpolationType.h:16, name = 'Chrome_InProcRendererThread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0)
  * frame #0: 0x000000011c7fc268 libblink_core.dylib`blink::CSSInterpolationType::~CSSInterpolationType(this=0x00002ccf9bad7810) + 8 at CSSInterpolationType.h:16
    frame #1: 0x000000011c7fc221 libblink_core.dylib`WTF::VectorDestructor<true, std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> > >::destruct(std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >*, std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >*) [inlined] std::__1::default_delete<blink::CSSInterpolationType>::operator(this=0x00001c59f16cc310, __ptr=0x00002ccf9bad7810)(blink::CSSInterpolationType*) const + 33 at memory:2399
    frame #2: 0x000000011c7fc200 libblink_core.dylib`WTF::VectorDestructor<true, std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> > >::destruct(std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >*, std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >*) [inlined] std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >::reset(this=0x00001c59f16cc310, __p=0x0000000000000000) + 83 at memory:2608
    frame #3: 0x000000011c7fc1ad libblink_core.dylib`WTF::VectorDestructor<true, std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> > >::destruct(std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >*, std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >*) [inlined] std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >::~unique_ptr(this=0x00001c59f16cc310) at memory:2576
    frame #4: 0x000000011c7fc1ad libblink_core.dylib`WTF::VectorDestructor<true, std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> > >::destruct(std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >*, std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >*) [inlined] std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >::~unique_ptr(this=0x00001c59f16cc310) at memory:2576
    frame #5: 0x000000011c7fc1ad libblink_core.dylib`WTF::VectorDestructor<true, std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> > >::destruct(begin=0x00001c59f16cc310, end=0x00001c59f16cc318) + 93 at Vector.h:86
    frame #6: 0x000000011c7fc0bd libblink_core.dylib`WTF::VectorTypeOperations<std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> > >::destruct(begin=0x00001c59f16cc310, end=0x00001c59f16cc318) + 29 at Vector.h:302
    frame #7: 0x000000011c7fc063 libblink_core.dylib`WTF::Vector<std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >, 0ul, WTF::PartitionAllocator>::finalize(this=0x0000700010f11298) + 131 at Vector.h:1220
    frame #8: 0x000000011c7fbfd5 libblink_core.dylib`WTF::ConditionalDestructor<WTF::Vector<std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >, 0ul, WTF::PartitionAllocator>, false>::~ConditionalDestructor(this=0x0000700010f11298) + 21 at ConditionalDestructor.h:20
    frame #9: 0x000000011c7fbfb5 libblink_core.dylib`WTF::Vector<std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >, 0ul, WTF::PartitionAllocator>::~Vector(this=0x0000700010f11298) + 21 at Forward.h:36
    frame #10: 0x000000011c7fbdf5 libblink_core.dylib`WTF::Vector<std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >, 0ul, WTF::PartitionAllocator>::~Vector(this=0x0000700010f11298) + 21 at Forward.h:36
    frame #11: 0x000000011caf9d9d libblink_core.dylib`blink::PropertyRegistration::registerProperty(scriptState=0x00002ccf9babfbc8, descriptor=0x0000700010f11c80, exceptionState=0x0000700010f11cb0) + 1981 at PropertyRegistration.cpp:168
    frame #12: 0x000000011e4368a2 libblink_core.dylib`blink::DOMWindowCSSV8Internal::registerPropertyMethod(info=0x0000700010f11dc0) + 1922 at V8CSS.cpp:147
    frame #13: 0x000000011e436115 libblink_core.dylib`blink::V8CSS::registerPropertyMethodCallback(info=0x0000700010f11dc0) + 21 at V8CSS.cpp:164
    frame #14: 0x00000001177a8a62 libv8.dylib`v8::internal::FunctionCallbackArguments::Call(this=0x0000700010f11e48, f=(libblink_core.dylib`blink::V8CSS::registerPropertyMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&) at V8CSS.cpp:163))(v8::FunctionCallbackInfo<v8::Value> const&)) + 450 at api-arguments.cc:25
    frame #15: 0x00000001178b9871 libv8.dylib`v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(isolate=0x000000012b84de00, function=<unavailable>, new_target=<unavailable>, fun_data=<unavailable>, receiver=<unavailable>, args=BuiltinArguments @ 0x0000700010f11ef0) + 1169 at builtins-api.cc:111
    frame #16: 0x00000001178b7fa5 libv8.dylib`v8::internal::Builtin_Impl_HandleApiCall(args=BuiltinArguments @ 0x0000700010f11f30, isolate=0x000000012b84de00) + 453 at builtins-api.cc:140
    frame #17: 0x0000095572a84264
    frame #18: 0x0000095572bf43aa
    frame #19: 0x0000095572b910cc
    frame #20: 0x0000095572bf43aa
    frame #21: 0x0000095572b910cc
    frame #22: 0x0000095572a8647b
    frame #23: 0x0000095572bf4578
    frame #24: 0x0000095572b910cc
    frame #25: 0x0000095572a8647b
    frame #26: 0x0000095572bf4578
    frame #27: 0x0000095572b910cc
    frame #28: 0x0000095572a8647b
    frame #29: 0x0000095572bf3a36
    frame #30: 0x0000095572b910cc
    frame #31: 0x0000095572a8647b
    frame #32: 0x0000095572bf4578
    frame #33: 0x0000095572b910cc
    frame #34: 0x0000095572b8fa39
    frame #35: 0x0000095572aae66d
    frame #36: 0x0000000117ccacc5 libv8.dylib`v8::internal::(anonymous namespace)::Invoke(isolate=0x0000700010f11fc8, is_construct=<unavailable>, target=<unavailable>, receiver=<unavailable>, argc=0, args=<unavailable>, new_target=<unavailable>, message_handling=<unavailable>) + 1541 at execution.cc:145
    frame #37: 0x0000000117cca556 libv8.dylib`v8::internal::(anonymous namespace)::CallInternal(isolate=0x000000012b84de00, callable=<unavailable>, receiver=<unavailable>, argc=<unavailable>, argv=<unavailable>, message_handling=<unavailable>) + 294 at execution.cc:181
    frame #38: 0x0000000117cca425 libv8.dylib`v8::internal::Execution::Call(isolate=<unavailable>, callable=<unavailable>, receiver=<unavailable>, argc=<unavailable>, argv=<unavailable>) + 21 at execution.cc:191
    frame #39: 0x00000001177bcd20 libv8.dylib`v8::Script::Run(this=0x000000012a82a270, context=<unavailable>) + 640 at api.cc:2024
    frame #40: 0x000000011c6791df libblink_core.dylib`blink::V8ScriptRunner::runCompiledScript(isolate=0x000000012b84de00, script=(val_ = 0x000000012a82a270), context=0x000025c8966a2868) + 1279 at V8ScriptRunner.cpp:544
    frame #41: 0x000000011c5abcd0 libblink_core.dylib`blink::ScriptController::executeScriptAndReturnValue(this=0x00002cf7f35c1b08, context=(val_ = 0x000000012a82a210), source=0x0000700010f13950, accessControlStatus=SharableCrossOrigin) + 1120 at ScriptController.cpp:135
    frame #42: 0x000000011c5add4f libblink_core.dylib`blink::ScriptController::evaluateScriptInMainWorld(this=0x00002cf7f35c1b08, sourceCode=0x0000700010f13950, accessControlStatus=SharableCrossOrigin, policy=DoNotExecuteScriptWhenScriptsDisabled) + 431 at ScriptController.cpp:325
    frame #43: 0x000000011c5adff2 libblink_core.dylib`blink::ScriptController::executeScriptInMainWorld(this=0x00002cf7f35c1b08, sourceCode=0x0000700010f13950, accessControlStatus=SharableCrossOrigin) + 82 at ScriptController.cpp:296
    frame #44: 0x000000011cf25d63 libblink_core.dylib`blink::ScriptLoader::doExecuteScript(this=0x00003983757c56f8, sourceCode=0x0000700010f13950) + 3123 at ScriptLoader.cpp:773
    frame #45: 0x000000011cf24c4f libblink_core.dylib`blink::ScriptLoader::executeScript(this=0x00003983757c56f8, sourceCode=0x0000700010f13950) + 47 at ScriptLoader.cpp:648
    frame #46: 0x000000011cf234cb libblink_core.dylib`blink::ScriptLoader::prepareScript(this=0x00003983757c56f8, scriptStartPosition=0x0000700010f147e0, supportLegacyTypes=DisallowLegacyTypeInTypeAttribute) + 2875 at ScriptLoader.cpp:500
    frame #47: 0x000000011d64d437 libblink_core.dylib`blink::HTMLParserScriptRunner::processScriptElementInternal(this=0x00003983757c5090, script=0x000025c8966a3938, scriptStartPosition=0x0000700010f147e0) + 1607 at HTMLParserScriptRunner.cpp:642
    frame #48: 0x000000011d64ccbd libblink_core.dylib`blink::HTMLParserScriptRunner::processScriptElement(this=0x00003983757c5090, scriptElement=0x000025c8966a3938, scriptStartPosition=0x0000700010f147e0) + 285 at HTMLParserScriptRunner.cpp:406
    frame #49: 0x000000011d6122c2 libblink_core.dylib`blink::HTMLDocumentParser::runScriptsForPausedTreeBuilder(this=0x00001d201d794480) + 338 at HTMLDocumentParser.cpp:291
    frame #50: 0x000000011d617bb2 libblink_core.dylib`blink::HTMLDocumentParser::processTokenizedChunkFromBackgroundParser(this=0x00001d201d794480, popChunk=unique_ptr<blink::HTMLDocumentParser::TokenizedChunk, std::__1::default_delete<blink::HTMLDocumentParser::TokenizedChunk> > @ 0x0000700010f16508) + 4978 at HTMLDocumentParser.cpp:567
    frame #51: 0x000000011d611ef3 libblink_core.dylib`blink::HTMLDocumentParser::pumpPendingSpeculations(this=0x00001d201d794480) + 1667 at HTMLDocumentParser.cpp:625
    frame #52: 0x000000011d61e35c libblink_core.dylib`blink::HTMLDocumentParser::resumeParsingAfterPause(this=0x00001d201d794480) + 1356 at HTMLDocumentParser.cpp:1072
    frame #53: 0x000000011d61e8d2 libblink_core.dylib`blink::HTMLDocumentParser::notifyScriptLoaded(this=0x00001d201d794480, pendingScript=0x00001d201d795cb0) + 514 at HTMLDocumentParser.cpp:1105
    frame #54: 0x000000011d64c7c8 libblink_core.dylib`blink::HTMLParserScriptRunner::pendingScriptFinished(this=0x00003983757c5090, pendingScript=0x00001d201d795cb0) + 552 at HTMLParserScriptRunner.cpp:388
    frame #55: 0x000000011cee251c libblink_core.dylib`blink::PendingScript::notifyFinished(this=0x00001d201d795cb0, resource=0x00001d201d795620) + 236 at PendingScript.cpp:212
    frame #56: 0x00000001196b23f0 libblink_platform.dylib`blink::Resource::checkNotify(this=0x00001d201d795620) + 144 at Resource.cpp:367
    frame #57: 0x00000001196b36c2 libblink_platform.dylib`blink::Resource::finish(this=0x00001d201d795620, loadFinishTime=26349.892137999999) + 306 at Resource.cpp:432
    frame #58: 0x00000001196d2c98 libblink_platform.dylib`blink::ResourceFetcher::handleLoaderFinish(this=0x00001d201d792c08, resource=0x00001d201d795620, finishTime=26349.892137999999, type=DidFinishLoading) + 1736 at ResourceFetcher.cpp:1222
    frame #59: 0x00000001196f3940 libblink_platform.dylib`blink::ResourceLoader::didFinishLoading(this=0x00003983757c52d8, finishTime=26349.892137999999, encodedDataLength=0, encodedBodyLength=97125) + 352 at ResourceLoader.cpp:433
    frame #60: 0x0000000102887e30 libcontent.dylib`content::WebURLLoaderImpl::Context::OnCompletedRequest(this=0x0000000135a1b560, error_code=0, was_ignored_by_handler=false, stale_copy_in_cache=false, completion_time=0x0000700010f18aa0, total_transfer_size=0, encoded_body_size=97125) + 1824 at web_url_loader_impl.cc:871
    frame #61: 0x0000000102888a97 libcontent.dylib`content::WebURLLoaderImpl::RequestPeerImpl::OnCompletedRequest(this=0x0000000135a1a160, error_code=0, was_ignored_by_handler=false, stale_copy_in_cache=false, completion_time=0x0000700010f18aa0, total_transfer_size=0, encoded_body_size=97125) + 119 at web_url_loader_impl.cc:1023
    frame #62: 0x00000001027cbeda libcontent.dylib`content::ResourceDispatcher::OnRequestComplete(this=0x000000012965dd00, request_id=1, request_complete_data=0x0000700010f18e98) + 2410 at resource_dispatcher.cc:370
    frame #63: 0x00000001027db526 libcontent.dylib`void base::DispatchToMethodImpl<content::ResourceDispatcher*, void (content::ResourceDispatcher::*)(int, content::ResourceRequestCompletionStatus const&), std::__1::tuple<int, content::ResourceRequestCompletionStatus> const&, 0ul, 1ul>(obj=0x0000700010f18db0, method=70 b5 7c 02 01 00 00 00 00 00 00 00 00 00 00 00, args=0x0000700010f18e90, (null)=IndexSequence<0, 1> @ 0x0000700010f18cb8)(int, content::ResourceRequestCompletionStatus const&), std::__1::tuple<int, content::ResourceRequestCompletionStatus> const&&&, base::IndexSequence<0ul, 1ul>) + 182 at tuple.h:91
    frame #64: 0x00000001027db460 libcontent.dylib`void base::DispatchToMethod<content::ResourceDispatcher*, void (content::ResourceDispatcher::*)(int, content::ResourceRequestCompletionStatus const&), std::__1::tuple<int, content::ResourceRequestCompletionStatus> const&>(obj=0x0000700010f18db0, method=70 b5 7c 02 01 00 00 00 00 00 00 00 00 00 00 00, args=0x0000700010f18e90)(int, content::ResourceRequestCompletionStatus const&), std::__1::tuple<int, content::ResourceRequestCompletionStatus> const&&&) + 96 at tuple.h:98
    frame #65: 0x00000001027db3bd libcontent.dylib`void IPC::DispatchToMethod<content::ResourceDispatcher, void (content::ResourceDispatcher::*)(int, content::ResourceRequestCompletionStatus const&), void, std::__1::tuple<int, content::ResourceRequestCompletionStatus> >(obj=0x000000012965dd00, method=70 b5 7c 02 01 00 00 00 00 00 00 00 00 00 00 00, (null)=0x0000000000000000, tuple=0x0000700010f18e90)(int, content::ResourceRequestCompletionStatus const&), void*, std::__1::tuple<int, content::ResourceRequestCompletionStatus> const&) + 109 at ipc_message_templates.h:26
    frame #66: 0x00000001027cff3f libcontent.dylib`bool IPC::MessageT<ResourceMsg_RequestComplete_Meta, std::__1::tuple<int, content::ResourceRequestCompletionStatus>, void>::Dispatch<content::ResourceDispatcher, content::ResourceDispatcher, void, void (msg=0x0000000135a205b8, obj=0x000000012965dd00, sender=0x000000012965dd00, parameter=0x0000000000000000, func=70 b5 7c 02 01 00 00 00 00 00 00 00 00 00 00 00)(int, content::ResourceRequestCompletionStatus const&)>(IPC::Message const*, content::ResourceDispatcher*, content::ResourceDispatcher*, void*, void (content::ResourceDispatcher::*)(int, content::ResourceRequestCompletionStatus const&)) + 527 at ipc_message_templates.h:121
    frame #67: 0x00000001027c82b5 libcontent.dylib`content::ResourceDispatcher::DispatchMessage(this=0x000000012965dd00, message=0x0000000135a205b8) + 2101 at resource_dispatcher.cc:530
    frame #68: 0x00000001027c6d48 libcontent.dylib`content::ResourceDispatcher::OnMessageReceived(this=0x000000012965dd00, message=0x0000000135a205b8) + 648 at resource_dispatcher.cc:134
    frame #69: 0x00000001027deffd libcontent.dylib`content::ResourceSchedulingFilter::DispatchMessage(this=0x0000000129538890, message=0x0000000135a205b8) + 93 at resource_scheduling_filter.cc:74
    frame #70: 0x00000001027e05a7 libcontent.dylib`void base::internal::FunctorTraits<void (content::ResourceSchedulingFilter::*)(IPC::Message const&), void>::Invoke<base::WeakPtr<content::ResourceSchedulingFilter> const&, IPC::Message const&>(method=a0 ef 7d 02 01 00 00 00 00 00 00 00 00 00 00 00, receiver_ptr=0x0000000135a205a8, args=0x0000000135a205b8)(IPC::Message const&), base::WeakPtr<content::ResourceSchedulingFilter> const&&&, IPC::Message const&&&) + 151 at bind_internal.h:214
    frame #71: 0x00000001027e0455 libcontent.dylib`void base::internal::InvokeHelper<true, void>::MakeItSo<void (functor=0x0000000135a20598, weak_ptr=0x0000000135a205a8, args=0x0000000135a205b8)(IPC::Message const&), base::WeakPtr<content::ResourceSchedulingFilter> const&, IPC::Message const&>(void (content::ResourceSchedulingFilter::* const&&&)(IPC::Message const&), base::WeakPtr<content::ResourceSchedulingFilter> const&&&, IPC::Message const&&&) + 117 at bind_internal.h:305
    frame #72: 0x00000001027e03d9 libcontent.dylib`void base::internal::Invoker<base::internal::BindState<void (content::ResourceSchedulingFilter::*)(IPC::Message const&), base::WeakPtr<content::ResourceSchedulingFilter>, IPC::Message>, void ()>::RunImpl<void (functor=0x0000000135a20598, bound=0x0000000135a205a8, (null)=IndexSequence<0, 1> @ 0x0000700010f19b70)(IPC::Message const&), std::__1::tuple<base::WeakPtr<content::ResourceSchedulingFilter>, IPC::Message> const&, 0ul, 1ul>(void (content::ResourceSchedulingFilter::* const&&&)(IPC::Message const&), std::__1::tuple<base::WeakPtr<content::ResourceSchedulingFilter>, IPC::Message> const&&&, base::IndexSequence<0ul, 1ul>) + 105 at bind_internal.h:361
    frame #73: 0x00000001027e02fc libcontent.dylib`base::internal::Invoker<base::internal::BindState<void (content::ResourceSchedulingFilter::*)(IPC::Message const&), base::WeakPtr<content::ResourceSchedulingFilter>, IPC::Message>, void ()>::Run(base=0x0000000135a20570) + 44 at bind_internal.h:339
    frame #74: 0x000000010dc36b0f libbase.dylib`base::Callback<void (), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>::Run(this=0x0000700010f1a358) + 95 at callback.h:91
    frame #75: 0x000000010dc36850 libbase.dylib`base::debug::TaskAnnotator::RunTask(this=0x000000012966dc40, queue_function="TaskQueueManager::PostTask", pending_task=0x0000700010f1a340) + 1024 at task_annotator.cc:59
    frame #76: 0x00000001193ad44a libblink_platform.dylib`blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(this=0x000000012966db90, work_queue=0x00000001294dd150, is_nested=false, time_before_task=LazyNow @ 0x0000700010f1a208, time_after_task=0x0000700010f1a6c0) + 2138 at task_queue_manager.cc:539
    frame #77: 0x00000001193a750e libblink_platform.dylib`blink::scheduler::TaskQueueManager::DoWork(this=0x000000012966db90, delayed=false) + 2302 at task_queue_manager.cc:337
    frame #78: 0x00000001193b6a4f libblink_platform.dylib`void base::internal::FunctorTraits<void (blink::scheduler::TaskQueueManager::*)(bool), void>::Invoke<base::WeakPtr<blink::scheduler::TaskQueueManager> const&, bool const&>(method=10 6c 3a 19 01 00 00 00 00 00 00 00 00 00 00 00, receiver_ptr=0x000000012966e818, args=0x000000012966e828)(bool), base::WeakPtr<blink::scheduler::TaskQueueManager> const&&&, bool const&&&) + 159 at bind_internal.h:214
    frame #79: 0x00000001193b68f5 libblink_platform.dylib`void base::internal::InvokeHelper<true, void>::MakeItSo<void (functor=0x000000012966e808, weak_ptr=0x000000012966e818, args=0x000000012966e828)(bool), base::WeakPtr<blink::scheduler::TaskQueueManager> const&, bool const&>(void (blink::scheduler::TaskQueueManager::* const&&&)(bool), base::WeakPtr<blink::scheduler::TaskQueueManager> const&&&, bool const&&&) + 117 at bind_internal.h:305
    frame #80: 0x00000001193b6879 libblink_platform.dylib`void base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(bool), base::WeakPtr<blink::scheduler::TaskQueueManager>, bool>, void ()>::RunImpl<void (functor=0x000000012966e808, bound=0x000000012966e818, (null)=IndexSequence<0, 1> @ 0x0000700010f1ae90)(bool), std::__1::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>, bool> const&, 0ul, 1ul>(void (blink::scheduler::TaskQueueManager::* const&&&)(bool), std::__1::tuple<base::WeakPtr<blink::scheduler::TaskQueueManager>, bool> const&&&, base::IndexSequence<0ul, 1ul>) + 105 at bind_internal.h:361
    frame #81: 0x00000001193b679c libblink_platform.dylib`base::internal::Invoker<base::internal::BindState<void (blink::scheduler::TaskQueueManager::*)(bool), base::WeakPtr<blink::scheduler::TaskQueueManager>, bool>, void ()>::Run(base=0x000000012966e7e0) + 44 at bind_internal.h:339
    frame #82: 0x000000010dc36b0f libbase.dylib`base::Callback<void (), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>::Run(this=0x0000700010f1b628) + 95 at callback.h:91
    frame #83: 0x000000010dc36850 libbase.dylib`base::debug::TaskAnnotator::RunTask(this=0x00000001294b4350, queue_function="MessageLoop::PostTask", pending_task=0x0000700010f1b610) + 1024 at task_annotator.cc:59
    frame #84: 0x000000010dd2352e libbase.dylib`base::MessageLoop::RunTask(this=0x00000001294b4220, pending_task=0x0000700010f1b610) + 894 at message_loop.cc:423

Inspecting frame 11, I get

(lldb) frame variable cssInterpolationTypes
(blink::CSSInterpolationTypes) cssInterpolationTypes = {
  WTF::VectorBuffer<std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >, 0, WTF::PartitionAllocator> = {
    WTF::VectorBufferBase<std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >, false, WTF::PartitionAllocator> = {
      m_buffer = 0x00001c59f16cc310
      m_capacity = 4
      m_size = 1
    }
  }
}


(lldb) frame variable *cssInterpolationTypes.m_buffer
(std::__1::unique_ptr<blink::CSSInterpolationType, std::__1::default_delete<blink::CSSInterpolationType> >) *cssInterpolationTypes.m_buffer = {
  __ptr_ = {
    std::__1::__libcpp_compressed_pair_imp<blink::CSSInterpolationType *, std::__1::default_delete<blink::CSSInterpolationType>, 2> = {
      __first_ = 0x0000000000000000
    }
  }
}

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fb80b96a036920cd61a7e2cea33a1e797bc96816

commit fb80b96a036920cd61a7e2cea33a1e797bc96816
Author: meade <meade@chromium.org>
Date: Mon Apr 03 12:13:39 2017

Add a virtual destructor for InterpolationType

Without this, in some cases we get Illegal Instruction crashes.

BUG= 702695 

Review-Url: https://codereview.chromium.org/2790083002
Cr-Commit-Position: refs/heads/master@{#461410}

[modify] https://crrev.com/fb80b96a036920cd61a7e2cea33a1e797bc96816/third_party/WebKit/Source/core/animation/InterpolationType.h

CSS.registerProperty() is still behind the experimental flag, no merge required.

ClusterFuzz has detected this issue as fixed in range 458746:463137.

Detailed report: https://clusterfuzz.com/testcase?key=5305075435307008

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Ill
Crash Address: 0x000110e684dd
Crash State:
  blink::PropertyRegistration::registerProperty
  blink::V8CSS::registerPropertyMethodCallback
  v8::internal::FunctionCallbackArguments::Call
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=453380:453417
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=458746:463137

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96VYbS2Hiek7pd2JSsegjyFggsbgHqkIzd8hdEzxVl2ghpiIIdqBEd3R0c6qMUftXXXCZqoN7Sfj_oZLD5b2s6PNwF7_jLB9tM4rs4Ixh04pLo1vvF_JV_-XD96nzFGPcaKpGVGfTNRgUtXoogpDOxSR_k754nXp3gnjHG1MC5iV8bp1i8qnmwaHXrSAU9teUgmk3C-XHrM-tZMJdvIOPOPyBypJwIPwX0SYMak8AIeJV-eD_dnalss_rSoAgUuuABrnZIeRTM8ioL2iIVSnRXt5xTN1ofZiZ8aSH7srOr8P810RcN_27lsgQ2yorehiKatXUaox7HzfeSEI4qwwZNTHg58HBk1odW7os854_eukQALo94?testcase_id=5305075435307008


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5305075435307008 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot