srirama: do you mind taking a look at this and retriaging if necessary? Thanks!

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The regressed range doesn't point anything related to the callstack. I will check the test case and see if the issue is reproducible locally.

This seems related to  bug 738944  but looking at the stack, I too can't find anything relevant. I looked at the crash and it seems to be a lifetime issue with WebAudioSourceProvider being owned by WMPI but reset by the wrapper in HTMLMediaElement. It seems that such a design would trigger lifetime management issue but I can't find any recent CL so there might have been some safeguard or some code somewhere that changed and created this crash.

rtoy@, dalecurtis@, is this something you have some background on?

rtoy: Uh oh! This issue still open and hasn't been updated in the last 16 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Left a comment on  issue 738944 ; which is a dupe of this issue. I don't think this is WebAudio related; somehow we're invoking load algorithm back to back with an active WMP instance.

https://bugs.chromium.org/p/chromium/issues/detail?id=738944#c6

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 537260:537261.

Detailed report: https://clusterfuzz.com/testcase?key=4980607296995328

Fuzzer: inferno_layout_test_fuzzer
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x2291a5f5bc60
Crash State:
  Bad-cast to blink::WebAudioSourceProvider from invalid vptr
  blink::HTMLMediaElement::AudioSourceProviderImpl::Wrap
  blink::HTMLMediaElement::StartPlayerLoad
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=479114:479272
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=537260:537261

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4980607296995328

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.