This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Any chance that this and https://bugs.chromium.org/p/chromium/issues/detail?id=766039 indicate that the bug really is in test_runner?

Note also that content/shell/test_runner/OWNERS refers to a Test>Layout component, but that doesn't seem to be legal in the Components: field below.

I am not sure how much I can trust the saved callstack, but if this is a UaF of |WebFrameTestClient::delegate_| then 1) it seems to be a dupe of  issue 606594  and  2 ) it does indeed seem to be a test-only issue with no impact on the product itself.

Unfortunately, I don't have any good ideas on how to proceed with  issue 606594 ... :-/

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Friendly ping!

Removing out of security queue since this is crash in test code (WebWidgetTestClient) - similarly to how issue 808385 was handled.

Looking at the ClusterFuzz data, it seems that ASAN says that the UaF object was allocated by content/shell/renderer/layout_test/layout_test_content_renderer_client.cc:75:34 here:

  BlinkTestRunner* test_runner = new BlinkTestRunner(render_view);

Based on this, I am fairly confident that this is a dupe of  issue 606594 .

ClusterFuzz has detected this issue as fixed in range 544435:544631.

Detailed report: https://clusterfuzz.com/testcase?key=5639604190576640

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x6120001e2768
Crash State:
  test_runner::WebFrameTestClient::DidAddMessageToConsole
  test_runner::WebFrameTestProxy<content::RenderFrameImpl, content::RenderFrameImp
  blink::ChromeClientImpl::AddMessageToConsole
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=502229:502259
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=544435:544631

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5639604190576640

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.