Couldn't (1) be due to a source change? Why do you think CFI itself broke?

(2) is addressed by thinlto, tracked in  issue 660216 .

Regarding (1), We didn't see sandbox::bpf_dsl across any other sanitizer builds stacktraces, only happening in CFI builds. So, suspecting something is wrong there.

Thanks for link to (2)

I think this is a bad cast in libstdc++. Here is the relevant code in shared_ptr_base.h:

      template<typename... _Args>
        _Sp_counted_ptr_inplace(_Alloc __a, _Args&&... __args)
        : _M_impl(__a)
        {
          _M_impl._M_ptr = static_cast<_Tp*>(static_cast<void*>(&_M_storage)); // <<< line 396 here
          // _GLIBCXX_RESOLVE_LIB_DEFECTS
          // 2070.  allocate_shared should use allocator_traits<A>::construct
          allocator_traits<_Alloc>::construct(__a, _M_impl._M_ptr,
              std::forward<_Args>(__args)...); // might throw
        }

This code appears to be casting an uninitialized storage pointer and then constructing an object over it (see http://cplusplus.github.io/LWG/lwg-active.html#2070 if you are curious why). I guess that bpf_dsl is the only user of shared_ptr that happens to call this ctor.

I will add a blacklist entry for the ctor.

http://chromium-cpp.appspot.com/ bans shared_ptr, why does that code use it :-/

Because this is an issue with the standard library I have added the blacklist entry to LLVM's CFI blacklist in r302272. So this is now blocked on the next clang roll.

> why does that code use it

So sandbox/linux could be reused more easily outside of Chromium.

 Issue 716983  has been merged into this issue.

 Issue 722031  has been merged into this issue.

 Issue 723209  has been merged into this issue.
 Issue 723212  has been merged into this issue.
 Issue 723215  has been merged into this issue.

 Issue 723269  has been merged into this issue.
 Issue 723270  has been merged into this issue.
 Issue 723271  has been merged into this issue.
 Issue 723273  has been merged into this issue.
 Issue 723275  has been merged into this issue.
 Issue 723277  has been merged into this issue.
 Issue 723281  has been merged into this issue.
 Issue 723282  has been merged into this issue.

Dont understand how this firehose lighted up today, too many such reports, disabling the entire signature on ClusterFuzz.

ClusterFuzz testcase 4856354354495488 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 723304  has been merged into this issue.
 Issue 723329  has been merged into this issue.
 Issue 723333  has been merged into this issue.
 Issue 723341  has been merged into this issue.
 Issue 723343  has been merged into this issue.
 Issue 723349  has been merged into this issue.
 Issue 723403  has been merged into this issue.
 Issue 723425  has been merged into this issue.
 Issue 723441  has been merged into this issue.
 Issue 723443  has been merged into this issue.
 Issue 723457  has been merged into this issue.
 Issue 723471  has been merged into this issue.
 Issue 723476  has been merged into this issue.
 Issue 723486  has been merged into this issue.
 Issue 723512  has been merged into this issue.
 Issue 723521  has been merged into this issue.
 Issue 723527  has been merged into this issue.
 Issue 723571  has been merged into this issue.
 Issue 723596  has been merged into this issue.
 Issue 723666  has been merged into this issue.

 Issue 723675  has been merged into this issue.

 Issue 723715  has been merged into this issue.
 Issue 723716  has been merged into this issue.
 Issue 723717  has been merged into this issue.
 Issue 723718  has been merged into this issue.
 Issue 723722  has been merged into this issue.

 Issue 723726  has been merged into this issue.

c#16, c#16, c#19, were all due to bad dcheck enabling everywhere.

All other sanitizer builders have caught up with the revert of dchecks

Peter, please fix CFI builder soon so that revert cl is uptaken.
https://chromium.googlesource.com/chromium/src/+/8cc767cb0d1c65af6d5a36858c9633c929b7e4cd

gab for comment 22

https://codereview.chromium.org/2892643002/ should fix the CFI bots.

 Issue 723771  has been merged into this issue.
 Issue 723773  has been merged into this issue.
 Issue 723774  has been merged into this issue.
 Issue 723775  has been merged into this issue.
 Issue 723776  has been merged into this issue.
 Issue 723777  has been merged into this issue.
 Issue 723778  has been merged into this issue.
 Issue 723780  has been merged into this issue.

Is this the same as  issue 723758 ?

No, this is a separate issue that was made more visible by the enabling of DCHECKs.

I see, so enabling DCHECKs helped find a real issue in this case?

We already knew about this issue. Just that crashing in DCHECKS in more places caused this to happen a lot more often.

 Issue 723884  has been merged into this issue.
 Issue 723911  has been merged into this issue.
 Issue 723914  has been merged into this issue.

FYI, r303273 has been rolled as per https://codereview.chromium.org/2884383004

Roll worked.

Roll is reverted, reopening till it relands.

Looks like roll worked this time.

ClusterFuzz testcase 6719543983734784 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.