Perhaps related to Issue 753672?

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

rockot: This looks similar to issue 753672, but Clusterfuzz doesn't think it's fixed yet.

I don't think it's related to bug 753672, which was a UAF. This is an uninitialized value sent over some URLLoaderFactoryPtr. Unless we're seeing similar bugs across many different interfaces/messages, it's probably a bug with a specific client of URLLoaderFactory.

The regression range is unfortunately not helpful, but +CC some folks working on network service and/or loading.

Hmm - unless this |impl| itself (or its vtable) is the uninitialized value here. Note that the crash is triggered by this line: https://cs.chromium.org/chromium/src/out/Debug/gen/content/public/common/url_loader_factory.mojom.cc?rcl=07237c8fd68bf051ce5f6b80adb13e30ed3b9efb&l=172

I didn't find any interesting thing by looking at the report, either.
Impl is provided by the user code of the bindings, so it is possible that it is a bug in some user code.
But if this is reproducible locally, it should not be hard to fix.

ClusterFuzz has detected this issue as fixed in range 497420:497431.

Detailed report: https://clusterfuzz.com/testcase?key=6483255074488320

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  content::mojom::URLLoaderFactoryStubDispatch::Accept
  content::mojom::URLLoaderFactoryStub<mojo::RawPtrImplRefTraits<content::mojom::U
  mojo::InterfaceEndpointClient::HandleValidatedMessage
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=495096:495101
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=497420:497431

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6483255074488320

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6483255074488320 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot