schenney: do you mind taking a look at this? Your CL https://chromium.googlesource.com/chromium/src/+/de3f9d3eb77a3653510eac5eceaa5104e16b9b38 is the only one in the blame range that looks a likely culprit, but there's no obvious connection there. If you could retriage as necessary that would be great.

Probably is my change. I'll look into it.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Reverted the offending patch.

ClusterFuzz has detected this issue as fixed in range 499177:499188.

Detailed report: https://clusterfuzz.com/testcase?key=4930559368495104

Fuzzer: mbarbella_webcomponents
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x0c7b7562c000
Crash State:
  Bad-cast to blink::LayoutBlock from blink::LayoutTableSection
  blink::LayoutObject::ContainerForFixedPosition
  blink::LayoutObject::Container
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=498846:498874
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=499177:499188

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4930559368495104

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4930559368495104 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

schenney@ - looks like the revert happened on ToT after 62 branched - too late to get it reverted there too?

This bug requires manual review: We are only 11 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Huh, I totally missed the fact that the branch happened in the 22 hours between land and revert. I'll dry run a M-62 cherry pick to see what happens.

It reverts cleanly and is a safe patch: https://chromium-review.googlesource.com/c/chromium/src/+/702954

Just hit CQ if you would like to land it after merge review.

abdulsyed@ - good for M62

Approving merge got M62. Branch:3202

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a208101a4bda35b311adf13c11ff802eea8127ef

commit a208101a4bda35b311adf13c11ff802eea8127ef
Author: Stephen Chenney <schenney@chromium.org>
Date: Thu Oct 05 21:05:20 2017

Revert "Make Table Sections containers when transformed"

This reverts commit de3f9d3eb77a3653510eac5eceaa5104e16b9b38.

Reason for revert: Causes an unsafe typecast in LayoutObject::ContainerForFixedPosition. https://bugs.chromium.org/p/chromium/issues/detail?id=761126

BUG= 761126 

Original change's description:
> Make Table Sections containers when transformed
>
> We have an assert in LayoutObject::OffsetFromAncestorContainer that the
> current container not have a transform property. But table sections are
> typically not containing blocks, yet may still have a transform. Make
> the code match our existing rendering (which works as expected) by
> making table sections containing blocks for style reasons.
>
> R=​chrishtr@chromium.org
>
> Bug:  753614 
> Change-Id: If11be56215c765707ffdb59f3fa6fc60880f7e71
> Reviewed-on: https://chromium-review.googlesource.com/641644
> Commit-Queue: Stephen Chenney <schenney@chromium.org>
> Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#498873}

TBR=chrishtr@chromium.org, schenney@chromium.org

(cherry picked from commit b2631f650b7d55052f7676101b22da81607096d2)

Change-Id: Iab5f380d3f02715113dfb1dad9f7c94aec7221a1
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug:  753614 
Reviewed-on: https://chromium-review.googlesource.com/647766
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#499178}
Reviewed-on: https://chromium-review.googlesource.com/702954
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/branch-heads/3202@{#600}
Cr-Branched-From: fa6a5d87adff761bc16afc5498c3f5944c1daa68-refs/heads/master@{#499098}
[delete] https://crrev.com/d1e6661b516321d271129f071cdad2beeb530b0d/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child-expected.png
[delete] https://crrev.com/d1e6661b516321d271129f071cdad2beeb530b0d/third_party/WebKit/LayoutTests/tables/table-transform-absolute-position-child.html
[modify] https://crrev.com/a208101a4bda35b311adf13c11ff802eea8127ef/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp

thanks for the quick turnaround schenney@!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot