Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/e6141a8e20f4a6c85c6742925ddb66be242dfca1 (Add Failure to test expectations for styles-update-from-js.js.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

My CL was just for adding failure to a test expectation.

sadrul, could you take a look please? Clusterfuzz is re-running the regression analysis but maybe you have some ideas in the meantime.

Friendly ping from Chrome Security Sheriff. This is a high severity security issue affecting Stable branch. Could you please take a look?

--> thomasanderson@ I don't think we use GObject-things other than GTK+ in chrome?

thomasanderson: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Friendly security sheriff ping: Could you take a look? This is a high severity issue, and it seems there hasn't been any recent activity. 

thomasanderson: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Security Sheriff ping -- this high severity security issue affecting Stable needs some love.

thomasanderson@ -- can you please prioritize this? If you need any help from any other team/person, please mention that here and the security sheriff will help out with that.

This has the same root cause as  bug 813449  (which I'm also assigned to).  The solution is to remove the dependency on libdbusmenu-glib, but this will take some time.

We commit ourselves to a 60 day deadline for fixing for high severity vulnerabilities, and have exceeded it here. If you're unable to look into this soon, could you please find another owner or remove yourself so that this gets back into the security triage queue?

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

thomasanderson, you mentioned on chat you don't think this has security implications? Can you elaborate?

ClusterFuzz testcase 4799243953635328 appears to be flaky, updating reproducibility label.

re c#16: Sorry I was actually looking at the TSAN error in the ClusterFuzz output which has the same root cause as  bug 813449 , but the ASSERT: G_IS_OBJECT appears be be a separate issue.  So it's possible this is would have security implications.

Though I'm not able to reproduce the issue on ToT, and it doesn't seem like ClusterFuzz is able to either, so it's possible this is fixed?  If not, I think we'll have to dump the stack trace from GLibLogHandler to be able to diagnose the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/eccc67cc9bd5ee8c1418a865185f57603d6209b1

commit eccc67cc9bd5ee8c1418a865185f57603d6209b1
Author: Tom Anderson <thomasanderson@chromium.org>
Date: Wed May 23 16:31:43 2018

Add debug logging for  bug 821704 

BUG= 821704 
R=gab@chromium.org

Change-Id: I9c8a3a5ff639e687e61c83a9c1353d4d12147b30
Reviewed-on: https://chromium-review.googlesource.com/1069247
Reviewed-by: Gabriel Charette <gab@chromium.org>
Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561118}
[modify] https://crrev.com/eccc67cc9bd5ee8c1418a865185f57603d6209b1/content/browser/browser_main_loop.cc

The NextAction date has arrived: 2018-05-29

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/75683e090da26a85bb62976143ad0024b15b9acb

commit 75683e090da26a85bb62976143ad0024b15b9acb
Author: Tom Anderson <thomasanderson@chromium.org>
Date: Wed May 30 18:55:58 2018

Change order of debug logging for  bug 821704 

Chrome quits after the LOG(ERROR), so the debug stack trace is never
printed.  This CL moves it before LOG(ERROR).

BUG= 821704 
TBR=gab

Change-Id: I7974e41883f3f437f8c6c2e3c42bdd9185d24c16
Reviewed-on: https://chromium-review.googlesource.com/1077564
Reviewed-by: Gabriel Charette <gab@chromium.org>
Reviewed-by: Thomas Anderson <thomasanderson@chromium.org>
Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#562939}
[modify] https://crrev.com/75683e090da26a85bb62976143ad0024b15b9acb/content/browser/browser_main_loop.cc

ClusterFuzz has detected this issue as fixed in range 562938:562947.

Detailed report: https://clusterfuzz.com/testcase?key=4799243953635328

Fuzzer: attekett_surku_fuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: ASSERT
Crash Address: 0x7b040004d390
Crash State:
  G_IS_OBJECT (object)
  
Sanitizer: thread (TSAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=562938:562947

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4799243953635328

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4799243953635328 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

+inferno@ I added some logging which I think confused clusterfuzz and now this issue no longer has the same signature.  Is there a way I can find the new bug (which probably also has Restrict-View-SecurityTeam)?  Or is this issue really fixed now?

Nope, I believe it isn't fixed yet. Re-opening.

I didn't see any similar CF reports.  Maybe the logging perturbed the timing enough so that the race no longer shows up?  Perhaps revert the logging and see if it still reproduces?  Thanks.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d665ffc963e72121d16059a3b48aa99397fb0031

commit d665ffc963e72121d16059a3b48aa99397fb0031
Author: Tom Anderson <thomasanderson@chromium.org>
Date: Wed Jun 27 20:02:49 2018

Remove some debug logging in browser_main_loop.cc

Clusterfuzz has marked  bug 821704  as fixed, though it's possible adding the
logging perturbed the timing just right so that this bug is no longer triggered.
Or the bug may actually be fixed.  Either way, we should remove the logging to
make sure the bug doesn't resurface.

Bug:  821704 
Change-Id: I4fb5a1394162e814ef28b2a5834af2bc13304ce0
R: gab
Reviewed-on: https://chromium-review.googlesource.com/1117304
Reviewed-by: Gabriel Charette <gab@chromium.org>
Commit-Queue: Thomas Anderson <thomasanderson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#570876}
[modify] https://crrev.com/d665ffc963e72121d16059a3b48aa99397fb0031/content/browser/browser_main_loop.cc

I'm rerunning Clusterfuzz to see if it still think it's fixed after removing the logging.

This still reproduces according to Clusterfuzz. thomasanderson, did you get anything useful from the logging that you added?

No, unfortunately.  I think adding the logging changed the signature, so no failing runs with the logging were attached to the clusterfuzz report.

ClusterFuzz has detected this issue as fixed in range 576806:576807.

Detailed report: https://clusterfuzz.com/testcase?key=4799243953635328

Fuzzer: attekett_surku_fuzzer
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: ASSERT
Crash Address: 0x7b040004d390
Crash State:
  G_IS_OBJECT (object)
  
Sanitizer: thread (TSAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_tsan_chrome_mp&range=576806:576807

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4799243953635328

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

I presume this is still WIP. Is there any more logging that needs to be done?

Clusterfuzz marked the issue as fixed and the logging has been removed for a while, so I think the issue really is fixed.

This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ (Security TPM) for merge review.

No merge needed.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot