This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

aboxhall, could you please take a look and see if this is related to https://chromium.googlesource.com/chromium/src/+/58a3e83e1325c8a366941564ca8ce096bb1345df?

Also cc hayato in case it's related to https://chromium.googlesource.com/chromium/src/+/933dc3199a9418e3c5b1d14d681d976867e8e4f9

ClusterFuzz has detected this issue as fixed in range 480271:480432.

Detailed report: https://clusterfuzz.com/testcase?key=5350335169429504

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x7e8c3d224798
Crash State:
  blink::HTMLSlotElement::LazyReattachDistributedNodesIfNeeded
  blink::SlotAssignment::ResolveDistribution
  blink::Node::RecalcDistribution
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=474583:474657
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=480271:480432

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5350335169429504


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5350335169429504 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M60 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge to M60. 

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hi aboxhall@ - any ideas what in 61 might have fixed this, and is worth a merge to 60?  (If not we can remove the merge tags) 

Please merge this to M60 ASAP. branch:3112

Removing labels as we don't have an identified fix to merge.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot