This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Assinging to V8 triage sheriff (seems V8 CF sheriff OOO) per rotation.

Looks like it is related to the inspector changes in https://chromium.googlesource.com/v8/v8/+log/1264194f491d54b2344742821c5139bb887a357d..310048219a78bbd29627a99b1fa9866a11fa4f47

https://chromium-review.googlesource.com/c/612452

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/438a845c52e89617b6fbe29f487a9336e93aa70a

commit 438a845c52e89617b6fbe29f487a9336e93aa70a
Author: Alexey Kozyatinskiy <kozyatinskiy@chromium.org>
Date: Fri Aug 11 18:21:57 2017

[inspector] check callback before calling on promise collected

R=dgozman@chromium.org

Bug:  chromium:754560 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I3c0d5c4eebc3e8dbfa6663210046d6a86b1226b5
Reviewed-on: https://chromium-review.googlesource.com/612452
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Aleksey Kozyatinskiy <kozyatinskiy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47321}
[modify] https://crrev.com/438a845c52e89617b6fbe29f487a9336e93aa70a/src/inspector/injected-script.cc
[modify] https://crrev.com/438a845c52e89617b6fbe29f487a9336e93aa70a/test/inspector/runtime/evaluate-async-expected.txt
[modify] https://crrev.com/438a845c52e89617b6fbe29f487a9336e93aa70a/test/inspector/runtime/evaluate-async.js

ClusterFuzz has detected this issue as fixed in range 493971:493972.

Detailed report: https://clusterfuzz.com/testcase?key=6183246407925760

Fuzzer: inferno_layout_test_fuzzer
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x23c574b0
Crash State:
  v8_inspector::InjectedScript::ProtocolPromiseHandler::cleanup
  v8::internal::GlobalHandles::DispatchPendingPhantomCallbacks
  v8::internal::GlobalHandles::PostGarbageCollectionProcessing
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=493354:493368
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=493971:493972

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6183246407925760

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6183246407925760 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot