Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

I don't see the uninitialised value usage, but perhaps using the reproduce tools will help? +scrolling people, can you please investigate, thanks!

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I'm going to pass this buck to Mr. Scroll Anchoring, skobes@.

Patch up: http://crrev.com/c/974745

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a0b0d089c5cebc81114568f7096f6140496d1d18

commit a0b0d089c5cebc81114568f7096f6140496d1d18
Author: Steve Kobes <skobes@chromium.org>
Date: Tue Mar 27 19:50:06 2018

Fix tree removal order when detaching fullscreen element.

LayoutObject::WillBeDestroyed removes children before calling Remove()
on itself.  Make LayoutFullScreen's override do the same.

The tree walk in FindReferencingScrollAnchors relies on this.  If an
ancestor layout object has already been removed, we will fail to clear
ScrollAnchor::anchor_object_.

Bug:  823150 
Change-Id: I30bf225ef22ad740c031bca0520e238e88fef23e
Reviewed-on: https://chromium-review.googlesource.com/974745
Reviewed-by: Stefan Zager <szager@chromium.org>
Commit-Queue: Steve Kobes <skobes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#546213}
[add] https://crrev.com/a0b0d089c5cebc81114568f7096f6140496d1d18/third_party/WebKit/LayoutTests/fast/layout/scroll-anchoring/fullscreen-crash.html
[modify] https://crrev.com/a0b0d089c5cebc81114568f7096f6140496d1d18/third_party/WebKit/Source/core/layout/LayoutFullScreen.cpp

ClusterFuzz has detected this issue as fixed in range 546210:546215.

Detailed report: https://clusterfuzz.com/testcase?key=5747385658245120

Fuzzer: ochang_domfuzzer
Job Type: linux_msan_content_shell_drt
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::ScrollAnchor::NotifyBeforeLayout
  blink::LayoutBlock::UpdateLayout
  blink::LayoutView::UpdateLayout
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=535692:535694
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_content_shell_drt&range=546210:546215

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5747385658245120

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5747385658245120 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M66 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

reopening for merge

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges. This update is based on the merge- labels applied to this issue. Please reopen if this update was incorrect.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge to M66. Branch:3359

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8ba5165242c2e67ecc184368c51f84f77cf20678

commit 8ba5165242c2e67ecc184368c51f84f77cf20678
Author: Steve Kobes <skobes@chromium.org>
Date: Thu Mar 29 20:13:15 2018

Fix tree removal order when detaching fullscreen element.

LayoutObject::WillBeDestroyed removes children before calling Remove()
on itself.  Make LayoutFullScreen's override do the same.

The tree walk in FindReferencingScrollAnchors relies on this.  If an
ancestor layout object has already been removed, we will fail to clear
ScrollAnchor::anchor_object_.

TBR=skobes@chromium.org

(cherry picked from commit a0b0d089c5cebc81114568f7096f6140496d1d18)

Bug:  823150 
Change-Id: I30bf225ef22ad740c031bca0520e238e88fef23e
Reviewed-on: https://chromium-review.googlesource.com/974745
Reviewed-by: Stefan Zager <szager@chromium.org>
Commit-Queue: Steve Kobes <skobes@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#546213}
Reviewed-on: https://chromium-review.googlesource.com/986884
Reviewed-by: Steve Kobes <skobes@chromium.org>
Cr-Commit-Position: refs/branch-heads/3359@{#502}
Cr-Branched-From: 66afc5e5d10127546cc4b98b9117aff588b5e66b-refs/heads/master@{#540276}
[add] https://crrev.com/8ba5165242c2e67ecc184368c51f84f77cf20678/third_party/WebKit/LayoutTests/fast/layout/scroll-anchoring/fullscreen-crash.html
[modify] https://crrev.com/8ba5165242c2e67ecc184368c51f84f77cf20678/third_party/WebKit/Source/core/layout/LayoutFullScreen.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot