This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is another recent report during v8 GC with no suspicious changes but a v8 roll in range.  Please feel free to re-assign to me if this is not a v8 issue.  Thanks !!!

#4: The fact that V8 GC is somewhere further down on the stack doesn't make this a V8 issue. Essentially, V8 told Blink "do some work!", and Blink replied "I'd rather crash" ;-)

For due diligence I did check the five V8 rolls in the regression range, and there's nothing suspicious in there either.

mlippautz, you've been in the scriptwrappable code recently (cd39e5b0ea), could you take a look?

Taking a look today.

Update: It looks like Oilpan's sweep can collect some EventTargetWithInlineData and the next V8 wrapper tracing round then finds a broken listener in the event listener map.

Still investigating further.

The object in questions is an event listener hanging of a AccessibleNode. 

Oilpan and wrapper tracing still agree on the address of AccessibleNode but then diverge on EventTargetData.

Investigating further...

AccessibleNode is not properly tracing the parent in Oilpan. CL in flight.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3cdbb8676a2d14c4f1f0da0f06f656e3cc0dca33

commit 3cdbb8676a2d14c4f1f0da0f06f656e3cc0dca33
Author: Michael Lippautz <mlippautz@chromium.org>
Date: Thu Aug 10 16:41:57 2017

Oilpan: Fix tracing of AccessibleNode

The dispatch to EventTargetWithInlineData was missing, effectively
resulting in premature collections of EventTargetData and all its
belongings.

Bug:  chromium:753293 
Change-Id: I0e2acf87dad001158bb407fdf4543bf2db9457fd
Reviewed-on: https://chromium-review.googlesource.com/610144
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#493427}
[modify] https://crrev.com/3cdbb8676a2d14c4f1f0da0f06f656e3cc0dca33/third_party/WebKit/Source/core/dom/AccessibleNode.cpp

ClusterFuzz has detected this issue as fixed in range 493422:493447.

Detailed report: https://clusterfuzz.com/testcase?key=6154608304193536

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x1f7b5f9a58e8
Crash State:
  Bad-cast to blink::EventListenerblink::EventTarget::TraceWrappers
  blink::TraceTrait<blink::AccessibleNode>::TraceMarkedWrapper
  blink::ScriptWrappableVisitor::AdvanceTracing
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=490847:492300
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=493422:493447

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6154608304193536

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The bug fixed in #12 is unrelated to any recent changes has been present since 46fca1f2e467228e197bb0c792450ad54667bd5e in April. The fix itself is trivial.

The bug can yield in memory corruptions, out-of-bounds-reads and writes because we have a stale pointer into reusable memory. Most likely it will result in crash in wrapper tracing though, as at this point we have to touch the memory which is usually corrupted.

Requesting merges as far back as possible. 

ClusterFuzz testcase 6154608304193536 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Please merge to beta and stable after proper Canary coverage.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d7accc53acc12310d2c3403760913ddbe2fa8602

commit d7accc53acc12310d2c3403760913ddbe2fa8602
Author: Michael Lippautz <mlippautz@chromium.org>
Date: Mon Aug 14 20:08:30 2017

Oilpan: Fix tracing of AccessibleNode

The dispatch to EventTargetWithInlineData was missing, effectively
resulting in premature collections of EventTargetData and all its
belongings.

TBR=mlippautz@chromium.org

(cherry picked from commit 3cdbb8676a2d14c4f1f0da0f06f656e3cc0dca33)

Bug:  chromium:753293 
Change-Id: I0e2acf87dad001158bb407fdf4543bf2db9457fd
Reviewed-on: https://chromium-review.googlesource.com/610144
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#493427}
Reviewed-on: https://chromium-review.googlesource.com/614400
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/branch-heads/3163@{#550}
Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528}
[modify] https://crrev.com/d7accc53acc12310d2c3403760913ddbe2fa8602/third_party/WebKit/Source/core/dom/AccessibleNode.cpp

Sorry for the confusion but there is actually no need to backmerge. 

The refactoring introducing the bug happened way later in fc79b0926b78c20eb703729caa3ce01f45a2feda. I am reverting the change on 3163.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5904a0b7fe93d48d9404161c14a0e78795c719a6

commit 5904a0b7fe93d48d9404161c14a0e78795c719a6
Author: Michael Lippautz <mlippautz@chromium.org>
Date: Mon Aug 14 21:02:00 2017

Revert "Oilpan: Fix tracing of AccessibleNode"

This reverts commit d7accc53acc12310d2c3403760913ddbe2fa8602.

Reason for revert: Refactoring to EventTargetWithInlineData happened later (fc79b0926b78c20eb703729caa3ce01f45a2feda) and this is thus not needed. Sorry for the noise.

Original change's description:
> Oilpan: Fix tracing of AccessibleNode
> 
> The dispatch to EventTargetWithInlineData was missing, effectively
> resulting in premature collections of EventTargetData and all its
> belongings.
> 
> TBR=mlippautz@chromium.org
> 
> (cherry picked from commit 3cdbb8676a2d14c4f1f0da0f06f656e3cc0dca33)
> 
> Bug:  chromium:753293 
> Change-Id: I0e2acf87dad001158bb407fdf4543bf2db9457fd
> Reviewed-on: https://chromium-review.googlesource.com/610144
> Reviewed-by: Kentaro Hara <haraken@chromium.org>
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Cr-Original-Commit-Position: refs/heads/master@{#493427}
> Reviewed-on: https://chromium-review.googlesource.com/614400
> Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
> Cr-Commit-Position: refs/branch-heads/3163@{#550}
> Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528}

TBR=haraken@chromium.org,mlippautz@chromium.org

Change-Id: I874647b138424bbd545775a7e1eae3502f274230
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  chromium:753293 
Reviewed-on: https://chromium-review.googlesource.com/614500
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/branch-heads/3163@{#555}
Cr-Branched-From: ff259bab28b35d242e10186cd63af7ed404fae0d-refs/heads/master@{#488528}
[modify] https://crrev.com/5904a0b7fe93d48d9404161c14a0e78795c719a6/third_party/WebKit/Source/core/dom/AccessibleNode.cpp

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Removing merge labels as there is nothing to be merged, see #20.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot