Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/68da3cf8d8b28f325bbb79fff94f5fdd52d5c02b (Enable UnifiedSystemTray by default.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

It's interesting we have such path


freed by thread T0 (chrome) here:
#0 0x5639bbae0ad2 in operator delete(void*) _asan_rtl_:3
#1 0x5639cdecbeea in operator() buildtools/third_party/libc++/trunk/include/memory:2321:5
#2 0x5639cdecbeea in reset buildtools/third_party/libc++/trunk/include/memory:2634
#3 0x5639cdecbeea in HideBubbleInternal ash/system/unified/unified_system_tray.cc:265
#4 0x5639cdecbeea in ash::UnifiedSystemTray::UiDelegate::HideMessageCenter() ash/system/unified/unified_system_tray.cc:101
#5 0x5639d5434001 in message_center::UiController::HideMessageCenterBubble() ui/message_center/ui_controller.cc:54:14
#6 0x5639d5417a47 in message_center::MessageCenterImpl::OnBlockingStateChanged(message_center::NotificationBlocker*) ui/message_center/message_center_impl.cc:86:14
#7 0x5639d5429a81 in message_center::NotificationBlocker::NotifyBlockingStateChanged() ui/message_center/notification_blocker.cc:38:14
#8 0x5639cdda6de7 in ash::Shell::NotifyFullscreenStateChanged(bool, aura::Window*) ash/shell.cc:635:14
#9 0x5639ce00abc4 in UpdateFullscreenState ash/wm/workspace/workspace_layout_manager.cc:382:19
#10 0x5639ce00abc4 in OnWindowActivated ash/wm/workspace/workspace_layout_manager.cc:269
#11 0x5639ce00abc4 in non-virtual thunk to ash::WorkspaceLayoutManager::OnWindowActivated(wm::ActivationChangeObserver::ActivationReason, aura::Window*, aura::Window*) ash/wm/workspace/workspace_layout_manager.cc:0
#12 0x5639d4b276b2 in wm::FocusController::SetActiveWindow(wm::ActivationChangeObserver::ActivationReason, aura::Window*, aura::Window*) ui/wm/core/focus_controller.cc:329:14
#13 0x5639d4b22f84 in wm::FocusController::FocusAndActivateWindow(wm::ActivationChangeObserver::ActivationReason, aura::Window*) ui/wm/core/focus_controller.cc:215:5
#14 0x5639cb689887 in views::NativeWidgetAura::Activate() ui/views/widget/native_widget_aura.cc:600:56
#15 0x5639cb5db819 in views::FocusManager::SetFocusedViewWithReason(views::View*, views::FocusManager::FocusChangeReason) ui/views/focus/focus_manager.cc:342:14
#16 0x5639cdecf2b1 in ash::UnifiedSystemTrayBubble::ActivateBubble() ash/system/unified/unified_system_tray_bubble.cc:93:18
    #17 0x5639cdc1f2de in HandleToggleSystemTrayBubble ash/accelerators/accelerator_controller.cc:445:13
    #18 0x5639cdc1f2de in ash::AcceleratorController::PerformAction(ash::AcceleratorAction, ui::Accelerator const&) ash/accelerators/accelerator_controller.cc:1654
    #19 0x5639cdc2147f in ash::AcceleratorController::AcceleratorPressed(ui::Accelerator const&) ash/accelerators/accelerator_controller.cc:1115:3

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9485d7c4b123ec95fbbfeee361f47580a62eb610

commit 9485d7c4b123ec95fbbfeee361f47580a62eb610
Author: Tetsui Ohkubo <tetsui@chromium.org>
Date: Fri Jun 22 01:37:02 2018

Fix ActivateBubble asan failure.

Changing focus of a view may cause UnifiedSystemTrayBubble to destruct.
(See stack trace of  https://crbug.com/853434#c6 )

At the point UnifiedSystemTrayBubble is deleted, the widget is still
not deleted, so we should explicitly check if the widget is closing.

TEST=manual
BUG= 853434 

Change-Id: I2d4a146393ad6d0a39d5c8b78ea3c3623d04b91e
Reviewed-on: https://chromium-review.googlesource.com/1107036
Reviewed-by: Yoshiki Iguchi <yoshiki@chromium.org>
Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569499}
[modify] https://crrev.com/9485d7c4b123ec95fbbfeee361f47580a62eb610/ash/system/unified/unified_system_tray_bubble.cc

ClusterFuzz has detected this issue as fixed in range 569497:569506.

Detailed report: https://clusterfuzz.com/testcase?key=5923640609341440

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x60e0003f0f88
Crash State:
  ash::UnifiedSystemTrayBubble::ActivateBubble
  ash::AcceleratorController::PerformAction
  ash::AcceleratorController::AcceleratorPressed
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=566724:566725
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=569497:569506

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5923640609341440

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5923640609341440 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot