I have a simple local repro (opening http://youtube.com) which bisected to: 

commit 014bbbb65ef9fed41c95613f56225758445d54f8
Author: Yuki Shiino <yukishiino@chromium.org>
Date:   Tue Sep 5 03:34:15 2017 +0000

    v8binding: Enables ScriptForbiddenScope check.
    
    Enables the ScriptForbiddenScope checks so that Blink crashes
    when it's about to run a script inside a ScriptForbiddenScope.
    
    Bug: 728583
    Change-Id: I44bd07855e4746c6081456f336a09a954cdc1b5e
    Reviewed-on: https://chromium-review.googlesource.com/648373
    Reviewed-by: Kentaro Hara <haraken@chromium.org>
    Commit-Queue: Yuki Shiino <yukishiino@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#499550}


There are probably many more to come :)

BTW, this sounds like a perfect cluster telemetry use-case (testing your CL against 10k websites): https://ct.skia.org/

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

The root cause should be that PPAPI is running a script when it's destroyed without checking blink::WebPluginScriptForbiddenScope::IsForbidden().

raymes@, could you take a look?

blink::ScriptForbiddenScope and blink::PluginScriptForbiddenScope are created at blink::Document::UpdateStyleAndLayoutTree(), and after that
- blink::WebPluginContainerImpl::Dispose()
- content::PepperWebPluginImpl::Destroy()
- content::PepperPluginInstanceImpl::Delete()
are called, and it eventually invokes content::MessageChannel::PostMessageToJavaScript(PP_Var), which invokes a serializer that runs a script.

The stacktrace is as follows:

#0 0x7f8186bb5c36 in gsignal /build/eglibc-SvCtMH/eglibc-2.19/nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x5827e4f in logging::LogMessage::~LogMessage() base/logging.cc:791:7
#2 0xa5e21ba in blink::BeforeCallEnteredCallback(v8::Isolate*) third_party/WebKit/Source/platform/bindings/V8PerIsolateData.cpp:53:3
#3 0x1a9bdb4 in FireBeforeCallEnteredCallback v8/src/isolate-inl.h:102:5
#4 0x1a9bdb4 in v8::(anonymous namespace)::CallDepthScope<true>::CallDepthScope(v8::internal::Isolate*, v8::Local<v8::Context>) v8/src/api.cc:245
#5 0x1ab04c2 in v8::ValueSerializer::WriteValue(v8::Local<v8::Context>, v8::Local<v8::Value>) v8/src/api.cc:3359:3
#6 0x9cd5867 in blink::V8ScriptValueSerializer::Serialize(v8::Local<v8::Value>, blink::ExceptionState&) third_party/WebKit/Source/bindings/core/v8/serialization/V8ScriptValueSerializer.cpp:92:20
#7 0x10189361 in blink::SerializedScriptValueForModulesFactory::Create(v8::Isolate*, v8::Local<v8::Value>, blink::SerializedScriptValue::SerializeOptions const&, blink::ExceptionState&) third_party/WebKit/Source/bindings/modules/v8/serialization/SerializedScriptValueForModulesFactory.cpp:21:21
#8 0x9ca1112 in blink::SerializedScriptValue::Serialize(v8::Isolate*, v8::Local<v8::Value>, blink::SerializedScriptValue::SerializeOptions const&, blink::ExceptionState&) third_party/WebKit/Source/bindings/core/v8/serialization/SerializedScriptValue.cpp:75:51
#9 0xfdf8087 in blink::WebSerializedScriptValue::Serialize(v8::Isolate*, v8::Local<v8::Value>) third_party/WebKit/Source/core/exported/WebSerializedScriptValue.cpp:49:47
#10 0xdfc32ed in content::MessageChannel::PostMessageToJavaScript(PP_Var) content/renderer/pepper/message_channel.cc:126:7
#11 0xd38b4f5 in ppapi::proxy::PPB_Instance_Proxy::OnHostMsgPostMessage(int, ppapi::proxy::SerializedVarReceiveInput) ppapi/proxy/ppb_instance_proxy.cc:1097:24
#12 0xd38adf5 in DispatchToMethodImpl<ppapi::proxy::PPB_Instance_Proxy *, void (ppapi::proxy::PPB_Instance_Proxy::*)(int, ppapi::proxy::SerializedVarReceiveInput), std::__1::tuple<int, ppapi::proxy::SerializedVar>, 0, 1> base/tuple.h:56:3
#13 0xd38adf5 in DispatchToMethod<ppapi::proxy::PPB_Instance_Proxy *, void (ppapi::proxy::PPB_Instance_Proxy::*)(int, ppapi::proxy::SerializedVarReceiveInput), std::__1::tuple<int, ppapi::proxy::SerializedVar> > base/tuple.h:63
#14 0xd38adf5 in DispatchToMethod<ppapi::proxy::PPB_Instance_Proxy, void (ppapi::proxy::PPB_Instance_Proxy::*)(int, ppapi::proxy::SerializedVarReceiveInput), void, std::__1::tuple<int, ppapi::proxy::SerializedVar> > ipc/ipc_message_templates.h:51
#15 0xd38adf5 in bool IPC::MessageT<PpapiHostMsg_PPBInstance_PostMessage_Meta, std::__1::tuple<int, ppapi::proxy::SerializedVar>, void>::Dispatch<ppapi::proxy::PPB_Instance_Proxy, ppapi::proxy::PPB_Instance_Proxy, void, void (ppapi::proxy::PPB_Instance_Proxy::*)(int, ppapi::proxy::SerializedVarReceiveInput)>(IPC::Message const*, ppapi::proxy::PPB_Instance_Proxy*, ppapi::proxy::PPB_Instance_Proxy*, void*, void (ppapi::proxy::PPB_Instance_Proxy::*)(int, ppapi::proxy::SerializedVarReceiveInput)) ipc/ipc_message_templates.h:146
#16 0xd382a7e in ppapi::proxy::PPB_Instance_Proxy::OnMessageReceived(IPC::Message const&) ppapi/proxy/ppb_instance_proxy.cc:145:5
#17 0xd4b3ee3 in ppapi::proxy::HostDispatcher::OnMessageReceived(IPC::Message const&) ppapi/proxy/host_dispatcher.cc:206:22
#18 0x5f4cab0 in IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&) ipc/ipc_channel_proxy.cc:320:14
#19 0x5f7490b in IPC::SyncChannel::ReceivedSyncMsgQueue::DispatchMessages(IPC::SyncChannel::SyncContext*) ipc/ipc_sync_channel.cc:224:16
#20 0x5f786de in DispatchMessages ipc/ipc_sync_channel.cc:429:24
#21 0x5f786de in IPC::SyncChannel::WaitForReply(mojo::SyncHandleRegistry*, IPC::SyncChannel::SyncContext*, bool) ipc/ipc_sync_channel.cc:673
#22 0x5f77aa5 in IPC::SyncChannel::Send(IPC::Message*) ipc/ipc_sync_channel.cc:622:3
#23 0xd4b2cfd in ppapi::proxy::HostDispatcher::Send(IPC::Message*) ppapi/proxy/host_dispatcher.cc:161:31
#24 0xd3cd018 in ppapi::proxy::(anonymous namespace)::DidDestroy(int) ppapi/proxy/ppp_instance_proxy.cc:65:45
#25 0xf2a35a9 in CallWhileUnlocked<void, int, int> ppapi/shared_impl/proxy_lock.h:128:10
#26 0xf2a35a9 in ppapi::PPP_Instance_Combined::DidDestroy(int) ppapi/shared_impl/ppp_instance_combined.cc:53
#27 0xdccb68c in content::PepperPluginInstanceImpl::Delete() content/renderer/pepper/pepper_plugin_instance_impl.cc:673:26
#28 0xdd09394 in content::PepperWebPluginImpl::Destroy() content/renderer/pepper/pepper_webplugin_impl.cc:152:16
#29 0xfdec25d in blink::WebPluginContainerImpl::Dispose() third_party/WebKit/Source/core/exported/WebPluginContainerImpl.cpp:740:18
#30 0xb98ad6f in blink::HTMLFrameOwnerElement::PluginDisposeSuspendScope::PerformDeferredPluginDispose() third_party/WebKit/Source/core/html/HTMLFrameOwnerElement.cpp:72:13
#31 0xb0908a4 in ~PluginDisposeSuspendScope third_party/WebKit/Source/core/html/HTMLFrameOwnerElement.h:83:9
#32 0xb0908a4 in blink::Document::UpdateStyle() third_party/WebKit/Source/core/dom/Document.cpp:2278
#33 0xb082586 in blink::Document::UpdateStyleAndLayoutTree() third_party/WebKit/Source/core/dom/Document.cpp:2165:3
#34 0xb725331 in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursiveInternal() third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3459:26
#35 0xb71fb0c in blink::LocalFrameView::UpdateStyleAndLayoutIfNeededRecursive() third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3438:3
#36 0xb71cdd1 in blink::LocalFrameView::UpdateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) third_party/WebKit/Source/core/frame/LocalFrameView.cpp:3166:3
#37 0xc899086 in blink::PageAnimator::UpdateAllLifecyclePhases(blink::LocalFrame&) third_party/WebKit/Source/core/page/PageAnimator.cpp:100:9
#38 0xfe19b62 in blink::WebViewImpl::UpdateAllLifecyclePhases() third_party/WebKit/Source/core/exported/WebViewImpl.cpp:1853:3
#39 0xe188dec in test_runner::WebWidgetTestClient::AnimateNow() content/shell/test_runner/web_widget_test_client.cc:53:17
#40 0x57d9814 in Run base/callback.h:64:12
#41 0x57d9814 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:57
#42 0x38e2eef in blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(blink::scheduler::internal::WorkQueue*, bool, blink::scheduler::LazyNow, base::TimeTicks*) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:515:19
#43 0x38dcbdd in blink::scheduler::TaskQueueManager::DoWork(bool) third_party/WebKit/Source/platform/scheduler/base/task_queue_manager.cc:312:13
#44 0x57d9814 in Run base/callback.h:64:12
#45 0x57d9814 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:57
#46 0x58401a4 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:406:25
#47 0x5841ef7 in DeferOrRunPendingTask base/message_loop/message_loop.cc:417:5
#48 0x5841ef7 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:524
#49 0x58474af in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:31
#50 0x58b1a84 in base::RunLoop::Run() base/run_loop.cc:118:14
#51 0xdaf33e6 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:220:23
#52 0x3a92252 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:353:14
#53 0x3a9600a in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:703:12
#54 0x9ae081b in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:469:29
#55 0x1866623 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10
#56 0x505bc4 in main content/shell/app/shell_main.cc:48:10
#57 0x7f8186ba0f44 in __libc_start_main /build/eglibc-SvCtMH/eglibc-2.19/csu/libc-start.c:287

+piman who tends to remember more about this than me. We usually allow plugins to execute script synchronously during their destruction. This question has come up before and I'm not sure that the answer is as simple as just not executing script at that point. 

Also +dcheng and joelhockey who may know something about plugin destruction order these days.

Yes, I think we need to run script here. We ignore script when the document is tearing down, but the understanding was we'd need to run script at other times or too many things would break.

It also looks like we tried to patch around this in issue 550427, but I think that fix was not quite correct unfortunately. The right fix is to move the update suspend scope for plugins one level higher, so it has longer lifetime than the ScriptForbiddenScope (yes, this is horrible, but it's what we do everywhere else). Hopefully this doesn't break anything else...

+jbroman, has script value serialization always required entering v8?

Yes. Structured serialization is defined to invoke the ordinary property "get" algorithm, which can in general run arbitrary script (due to getter properties).

That's unfortunate: that means the scripting block by PluginScriptForbiddenScope is incomplete. I'll look at removing this in a followup (as it's confusing and doesn't even block JS execution), and look at changing the timing of WebPlugin::Destroy() so these sorts of things don't matter.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33369cd5a61ac60732d73396fc0f3d0a141cd3e5

commit 33369cd5a61ac60732d73396fc0f3d0a141cd3e5
Author: Daniel Cheng <dcheng@chromium.org>
Date: Wed Oct 18 18:39:53 2017

Suspend plugin updates when scripting is forbidden.

Executing deferred plugin updates can run script, so ensure that
plugin updates are deferred until script forbidden scope is no
longer active.

Bug:  765920 
Change-Id: I42f89287c62bcf6ee748e04d984539644e839c99
Reviewed-on: https://chromium-review.googlesource.com/720173
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Reviewed-by: Yuki Shiino <yukishiino@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509818}
[modify] https://crrev.com/33369cd5a61ac60732d73396fc0f3d0a141cd3e5/third_party/WebKit/Source/core/dom/Document.cpp
[modify] https://crrev.com/33369cd5a61ac60732d73396fc0f3d0a141cd3e5/third_party/WebKit/Source/core/exported/WebViewTest.cpp

ClusterFuzz has detected this issue as fixed in range 509798:509818.

Detailed report: https://clusterfuzz.com/testcase?key=6694962849906688

Fuzzer: inferno_twister
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !ScriptForbiddenScope::IsScriptForbidden() in V8PerIsolateData.cpp
  blink::BeforeCallEnteredCallback
  v8::CallDepthScope<true>::CallDepthScope
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=502407:502457
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=509798:509818

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6694962849906688

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6694962849906688 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.