This is a critical security issue. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

No obvious regression in range, but https://chromium.googlesource.com/chromium/src/+/8fe05b62e40416c6adae6bac54f0f04f63541c69 is just before the range and looks relevant.

Incidentally, https://chromium.googlesource.com/chromium/src/+/0e97f8a8934f34fb6f5aba7214eb8470862c52b6 seems to be the pattern used elsewhere to avoid this type of problem.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a2e975ffdc9504ab2bbeb1b4e8527ca60c87c7e3

commit a2e975ffdc9504ab2bbeb1b4e8527ca60c87c7e3
Author: Catherine Mullings <catmullings@chromium.org>
Date: Tue Aug 29 00:45:06 2017

Fix use-after-free of a browser object in extension bubble controller

Fixes a use-after-free error when an extension message bubble controller
accesses a browser object after the object has been destroyed.

Bug:  756316 
Change-Id: I8b158795c1c9811531a42af02635af5cc97e59a3
Reviewed-on: https://chromium-review.googlesource.com/639390
Reviewed-by: Devlin <rdevlin.cronin@chromium.org>
Commit-Queue: catmullings <catmullings@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497960}
[modify] https://crrev.com/a2e975ffdc9504ab2bbeb1b4e8527ca60c87c7e3/chrome/browser/extensions/extension_message_bubble_controller.cc
[modify] https://crrev.com/a2e975ffdc9504ab2bbeb1b4e8527ca60c87c7e3/chrome/browser/extensions/extension_message_bubble_controller_unittest.cc

It will be good to continue monitoring this.  I think that clusterfuzz is supposed to automatically detect when issues are fixed, so we should keep an eye out for that.  If it doesn't happen, we may need to look into this again.

Clusterfuzz experts: Even though clusterfuzz has marked this as reproducable, neither catmullings@ nor myself were able to trigger the crash (which makes verification a bit harder).  Is there some secret we're missing?

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 497916:497981.

Detailed report: https://clusterfuzz.com/testcase?key=5591034808762368

Fuzzer: meacer_extension_apis
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x616000269870
Crash State:
  extensions::ExtensionMessageBubbleController::UpdateExtensionIdList
  extensions::ExtensionMessageBubbleController::OnExtensionUnloaded
  extensions::ExtensionRegistry::TriggerOnUnloaded
  
Sanitizer: address (ASAN)

Recommended Security Severity: Critical

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=494865:494953
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=497916:497981

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5591034808762368

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.