This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

looks like inspector code to me

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I can't repro this and can't open the case (lacking permissions)

That seems odd. Anyone with an @chromium.org account have access, though you might be prompted to sign in first. What's the exact error?

Upload test case (https://clusterfuzz.com/download?testcase_id=4669918340710400) as an attachment. 

Deleted: clusterfuzz-testcase-4669918340710400.html 801 bytes

clusterfuzz-testcase-4669918340710400.html 801 bytes View Download

pfeldman: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The test attached fails, but there is no crash observed.

mbarbella: Uh oh! This issue still open and hasn't been updated in the last 26 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

With the testcase here, I got a different crash stacktrace that is identical to the one in #722096.

Running `/google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 4669918340710400` reproduces the crash in #722096.

Where do we go from here?

Sev sec high == RB-Stable, +security TPM(s) in case they disagree.

Can we please stop applying RB-Beta to these bugs and start applying RB-Stable instead, since the security team has never asked us to block beta on sev sec high?

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

mbarbella@, how do I stop fighting with SheriffBot here?

Getting this back into the sheriff's queue for now, but will take a look to see if this is still happening.

The test case in CF won't work as-is since it depends on a resource from the layout tests (this is a bug), but even with that resolved locally I haven't been able to repro this in any build. CF still thinks it's happening, and it appears to be reproducing properly on the bots, but given that it's in inspector code and there should be some interaction required for this to happen in a non-test scenario, I think we can downgrade the severity.

I'm attaching the test case I was trying to repro with so anyone who takes a look at this later doesn't need to hack it together.

Deleted: 716932.tgz 4.6 KB

716932.tgz 4.6 KB Download

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/95862a52c7bc1a5846259619243289805d095b70 (Store nonAttachedStyle on NodeLayoutData instead of on HashMap in Document.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

My patch was reverted. This isn't me

Adding myself to see CF results page.

I tried running the testcase locally, but cannot reproduce the crash.

Also tried the commandline tanin@ described in comment #14, but it didn't
work with "--current" (i.e. uses the current code to build content_shell)
and without "--current" I got the same result as tanin@, that points to
already fixed  issue 722096 .

I am trying to "REDO TASK" in clusterfuzz page to see if "Fixed" now.

Hmm, clusterfuzz still can reproduce on the latest tree.

As the crashing point is in probe::breakableLocation(), forwarding
devtools team to look at this.

#10 0xb7f877a in blink::probe::breakableLocation(blink::ExecutionContext*, char const*) out/Release/gen/blink/core/CoreProbesImpl.cpp:1090
 #11 0x9e3ff28 in blink::Element::setInnerHTML(WTF::String const&, blink::ExceptionState&) third_party/WebKit/Source/core/dom/Element.cpp:2901:3
#12 0x8b1b009 in innerHTMLAttributeSetter out/Release/gen/blink/bindings/core/v8/V8Element.cpp:318:9
 #13 0x8b1b009 in blink::V8Element::innerHTMLAttributeSetterCallback(v8::FunctionCallbackInfo<v8::Value> const&) out/Release/gen/blink/bindings/core/v8/V8Element.cpp:2092

Oops, I meant to narrow the Components field to Platform>DevTools>JavaScript
in the previous comment.

I reproduced it in ToT.
The root of issue:
- we iterate through inspector agents in probe code [1],
- debugger agent trigger a requested pause,
- fuzzer test calls InspectorTest.completeTest which destroys everything around,
- execution is resumed but further iteration through list of dom debugger agents produce a crash.

I believe that I can reproduce this crash without fuzzer by navigating page.

[1] https://cs.chromium.org/chromium/src/out/Debug/gen/blink/core/CoreProbesImpl.cpp?rcl=16239809868cdf2af36e5992d515191ad14bc412&l=1490

ClusterFuzz has detected this issue as fixed in range 525850:525852.

Detailed report: https://clusterfuzz.com/testcase?key=4669918340710400

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x7eef3694b5d0
Crash State:
  blink::probe::breakableLocation
  blink::Element::setInnerHTML
  blink::V8Element::innerHTMLAttributeSetterCallback
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=467489:467546
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=525850:525852

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4669918340710400

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4669918340710400 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot