This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

mbarbella -- this seems like a test issue. Could you please take a look? Thanks.

lukasza@ -- can you please take a look? Thanks.

URGENT - PTAL.
Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the M61 branch #3163 ASAP to have enough baking time in Beta before Stable promotion. Thank you!

Know that this issue shouldn't block the release?  Remove the ReleaseBlock-Stable label.

All the frames on the callstack (above IPC code) belong to the test code (and none belong to the product code).  Therefore I think it is safe to say that this shouldn't block the release.  Hopefully the bug repros and I can take a look when I am back from the paternity leave.

ClusterFuzz has detected this issue as fixed in range 492686:492688.

Detailed report: https://clusterfuzz.com/testcase?key=6739911901446144

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x07fb8a0c4600
Crash State:
  Bad-cast to blink::WebView from invalid vptr
  test_runner::TestRunnerForSpecificView::Reset
  test_runner::WebViewTestProxyBase::Reset
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=479114:479272
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=492686:492688

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6739911901446144


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6739911901446144 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ for M61 merge review

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6194253301809152.

This doesn't seem fixed but it should be test only, so it probably shouldn't be tracked as a security bug. I re-uploaded the test case with an ASan build to get a better idea of what's going on (seems like a use-after-free).

thanks mbarbella@ - changing bug type.

Detailed report: https://clusterfuzz.com/testcase?key=6194253301809152

Job Type: linux_asan_content_shell_drt
Crash Type: Heap-use-after-free READ 8
Crash Address: 0x617000046e80
Crash State:
  test_runner::TestRunnerForSpecificView::Reset
  test_runner::WebViewTestProxyBase::Reset
  test_runner::TestInterfaces::ResetAll
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=389884:390115

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6194253301809152

See https://github.com/google/clusterfuzz-tools for more information.

A recommended severity was added to this bug. Please change the severity if it is inaccurate.

ClusterFuzz testcase 6194253301809152 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.