Assigning to memory sheriff for investigating.

Looks like blink bindings regression

Suspecting https://chromium-review.googlesource.com/c/514923/ from the CL range and stack trace, bashi@ PTAL.

I don't think my change caused the regression. The CL only added forward declarations for generated code and it wouldn't change existing behavior.

Assigning to yukishiino@ for triage.

Among 7 suspected CLs that clusterfuzz suggested, the following CL of ulan@ looks most relevant.
https://chromium.googlesource.com/v8/v8.git/+/a6da98d86ffab7e1e50319ed12b57fcb366e24ee

ulan@, could you let me know what this CL is doing?  I know nothing about "new phantom weakness".  Does Blink need to change something?  Could the CL be related to this issue?

The bisection range from the clusterfuzz report doesn't include ulan's CL:

https://chromium.googlesource.com/chromium/src/+log/d9e6b495633f4f1382309dff618aa41af04413ee..4e14abaffe591610d0c3ab3744a18082b51eba84

I'm not sure clusterfuzz's suspected CLs make sense here as they only check last modifications to the source code at the top stack frames, irrespective of the actual bisected CL range.

Ah, I see.  Let me take more look.

ClusterFuzz has detected this issue as fixed in range 476262:476271.

Detailed report: https://clusterfuzz.com/testcase?key=4829301781561344

Fuzzer: lcamtuf_cross_fuzz
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::GlobalHandles::MakeWeak
  blink::ScriptWrappable::SetWrapper
  blink::DOMDataStore::SetWrapper
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=474583:474657
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=476262:476271

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4829301781561344


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4829301781561344 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 729390  has been merged into this issue.

yukishiino@, did you land a fix in 476262:476271, or did clusterfuzz@ incorrectly close this issue?

I didn't land a fix.  I think that the issue has not ever been reliably reproducible in the first place, so I wouldn't say that clusterfuzz@ *incorrectly* close this issue, neither.

Anyway, I think that this is a dupe of Issue 714130.

Issue 733492 has been merged into this issue.

 Issue 731912  has been merged into this issue.