Testcase 5982000050339840 is a top crash on ClusterFuzz for windows platform. Please prioritize fixing this crash.

Marking this crash as a Beta release blocker.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7274caf9370ce83462a3ec082e2808235dc6adbf

commit 7274caf9370ce83462a3ec082e2808235dc6adbf
Author: Christian Fremerey <chfremer@chromium.org>
Date: Fri Feb 02 23:41:01 2018

Fix use after free in DeviceMediaToMojoAdapter

In  Issue 807887 , ClusterFuzz provided a very useful stack trace demonstrating a
use after free, which is likely the same as Issue 777608. Root cause was a
Mojo connection error getting invoked on a base::Unretained() pointer to a
deleted object.

I added a unit test case the reproduced the issue before the fix. There are two
possible fixes.
1. In ~DeviceMediaToMojoAdapter() call Stop() in order to reset the connection
error handler before it gets invoked.
2. Use base::WeakPtr.
I am opting for option 2. because seeing/proving that solution 1. is effective
is unreasonably complex and also requires more code.

Test: services_unittests --gtest_filter="DeviceMediaToMojoAdapterTest.*"
Bug:  807887 , 777608
Change-Id: If42094796fbb095caccad7af9f72263b1d5f3ed6
Reviewed-on: https://chromium-review.googlesource.com/898256
Commit-Queue: Christian Fremerey <chfremer@chromium.org>
Reviewed-by: Emircan Uysaler <emircan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534199}
[modify] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/BUILD.gn
[modify] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/device_media_to_mojo_adapter.cc
[modify] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/device_media_to_mojo_adapter.h
[add] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/device_media_to_mojo_adapter_unittest.cc
[modify] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/receiver_mojo_to_media_adapter.cc
[modify] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/receiver_mojo_to_media_adapter.h
[add] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/test/mock_device.cc
[add] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/test/mock_device.h
[modify] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/test/mock_device_test.cc
[modify] https://crrev.com/7274caf9370ce83462a3ec082e2808235dc6adbf/services/video_capture/test/mock_device_test.h

ClusterFuzz has detected this issue as fixed in range 534193:534207.

Detailed report: https://clusterfuzz.com/testcase?key=5982000050339840

Fuzzer: inferno_twister
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x1241510947a0
Crash State:
  video_capture::DeviceMediaToMojoAdapter::Stop
  mojo::InterfaceEndpointClient::NotifyError
  mojo::internal::MultiplexRouter::ProcessNotifyErrorTask
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=534193:534207

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5982000050339840

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5982000050339840 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Issue 777608 has been merged into this issue.

This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Not sure why Merge-Request-66 was added. According to omaha proxy, the commit with the fix in #5 is part of 66.0.3338.0.

No merge to 66 needed. 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot