This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Mojo: Armed Watchers by rockot@chromium.org
Changelist touched lines near the crashed line in frame #0 blink::MojoWatcher::RunReadyCallback(unsigned int) (distance = 0 lines away)
Top touched frame is #0 blink::MojoWatcher::RunReadyCallback(in MojoWatcher.cpp)
Changed files MojoWatcher.cpp, MojoWatcher.h, with the same CrashedDirectory(third_party/WebKit/Source/core/mojo) as MojoWatcher.cpp (in frame#0, frame#9, frame#1)
Touched files in stacktrace - MojoWatcher.cpp
Changed files MojoWatcher.cpp, MojoWatcher.h, with the same CrashedComponent(Blink) as MojoWatcher.cpp (in frame#0, frame#9, frame#1) Changed files url_response_body_consumer.cc, url_response_body_consumer.h, web_data_consumer_handle_impl.cc, web_data_consumer_handle_impl.h, message_port.cc, message_port.h, ipc_sync_channel.cc, ipc_sync_channel.h, with the same CrashedComponent(Internals>Core) as task_annotator.cc (in frame#2, frame#6, frame#11, frame#15, frame#19, frame#23), callback.h (in frame#14, frame#5, frame#22), message_loop.cc (in frame#24, frame#16, frame#7)

Rockot@, can you please add a OWNERS file in WebKit/Source/core/mojo with mojo component. that way Predator can add correct component label for these bugs.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7d4b56a4c2a5b5e97e556bdbc6f177145ed74b6d

commit 7d4b56a4c2a5b5e97e556bdbc6f177145ed74b6d
Author: Ken Rockot <rockot@chromium.org>
Date: Wed Oct 04 23:41:36 2017

Mojo: Fix unintialized val usage in JS Watcher API

This corrects some invalid DCHECKs in the Blink MojoWatcher
implementation to account for cases where a handle is closed
while being watched. The invalid assumption was leading to
potential use of an uninitialized value. The bug does not affect
any production code, but was triggered by clusterfuzz.

Also adds an OWNERS to Blink mojo code with an appropriate
component tag.

R=yzshen@chromium.org

Bug:  770458 
Change-Id: I06ad446e3a3ae13545737c578d1180ff438c49d7
Reviewed-on: https://chromium-review.googlesource.com/700807
Reviewed-by: Yuzhu Shen <yzshen@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#506568}
[modify] https://crrev.com/7d4b56a4c2a5b5e97e556bdbc6f177145ed74b6d/third_party/WebKit/Source/core/mojo/MojoWatcher.cpp
[add] https://crrev.com/7d4b56a4c2a5b5e97e556bdbc6f177145ed74b6d/third_party/WebKit/Source/core/mojo/OWNERS

ClusterFuzz has detected this issue as fixed in range 506555:506613.

Detailed report: https://clusterfuzz.com/testcase?key=5387331266936832

Fuzzer: inferno_twister
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::MojoWatcher::RunReadyCallback
  base::debug::TaskAnnotator::RunTask
  blink::scheduler::TaskQueueManager::ProcessTaskFromWorkQueue
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=456626:457732
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=506555:506613

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5387331266936832

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5387331266936832 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot