This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The range is from June of 2016, so this wasn't a recent regression.

In the older stack trace, we see "Uninitialized value was created by an allocation of permission_status in the stack frame of function blink::NotificationManager::GetPermissionStatus(blink::ExecutionContext*)"

Maybe rather than just DCHECK(result) we should also set the permission status to block if the call fails?
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/modules/notifications/NotificationManager.cpp?l=55&rcl=64baf346da1faee0f9779b681c67f74c810dfe5b

Suspecting https://chromium.googlesource.com/chromium/src/+/f28cb7f78b2f5df0d02ccdfa430edf5e304dfcdd which introduced Blink notification service.

peter@, can you please take a look? Thanks.

What I'm not clear on is why the Mojo call would fail. It's a sync call to an interface that should always be available. Is it possible that the call's somehow being made during shutdown?

I guess we can just return mojom::blink::PermissionStatus::DENIED if the Mojo call fails. I'm going to assume this can wait until next week given that none of this has changed much in the past year.

Re #8: I'm not positive that the mojo call is failing or the culprit here, but looking at the repro, I think the call immediately preceding the Notification call is a close() on the tab. 

Why not? It's a synchronous call, so unless it fails (in which case it returns `false`) the value should always be written.

I've sent you the following CL:
    https://codereview.chromium.org/2847433002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1fbce15166ac6fdbd967a1249375afdbd711de8e

commit 1fbce15166ac6fdbd967a1249375afdbd711de8e
Author: peter <peter@chromium.org>
Date: Wed Apr 26 18:50:08 2017

Gracefully handle failed Mojo calls in the NotificationManager

This continues to be an unexpected failure so we keep the DCHECK, but
now with a predefined return value to handle this.

BUG= 713545 

Review-Url: https://codereview.chromium.org/2847433002
Cr-Commit-Position: refs/heads/master@{#467396}

[modify] https://crrev.com/1fbce15166ac6fdbd967a1249375afdbd711de8e/third_party/WebKit/Source/modules/notifications/NotificationManager.cpp

I'm going to close this without requesting merge - please reopen if you disagree. If somebody were to abuse this, worst that could happen is that we send an IPC to the browser process requesting a notification to be shown, at which point we bail out (w/ a bad_message notification) in the browser process:

https://cs.chromium.org/chromium/src/content/browser/notifications/notification_message_filter.cc?dr=CSs&l=156

My theory is that this can't happen anyway unless the renderer is already being shut down, so there is no risk and user impact is nihil.

ClusterFuzz has detected this issue as fixed in range 467381:467403.

Detailed report: https://clusterfuzz.com/testcase?key=6650635488591872

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::Notification::PrepareShow
  blink::TimerBase::RunInternal
  base::debug::TaskAnnotator::RunTask
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=397683:397703
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_chrome&range=467381:467403

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6650635488591872


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot