Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

verwaest - can you take a look at this regression?

Wow, this stack trace doesn't make any sense at all. We jump from blink::MarkingVisitor::Visit to some arbitrary function in the irregexp compiler. ulan, since Michi is ooo, could you please forward to the right person in blink?

#0 0x7ffec46d0ff8 in v8::internal::LoopChoiceNode::Accept(class v8::internal::NodeVisitor *) v8/src/regexp/jsregexp.cc:1517:12
 #1 0x7ffec515d480 in blink::MarkingVisitor::Visit(void *,struct blink::TraceDescriptor) third_party/blink/renderer/platform/heap/marking_visitor.h:103:11
#2 0x7ffecc8459fa in WTF::TraceInCollectionTrait<0,class blink::HeapVectorBacking<class blink::Member<class blink::SimpleEditCommand>,struct WTF::VectorTraits<class blink::Member<class blink::SimpleEditCommand> > >,void>::Trace<class blink::Visitor *>(class blink::Visitor *,void *) third_party/blink/renderer/platform/heap/trace_traits.h:534:9
 #3 0x7ffec513d8f9 in blink::ThreadHeap::AdvanceMarkingStackProcessing(class blink::Visitor *,double) third_party/blink/renderer/platform/heap/heap.cc:274:9
#4 0x7ffec5174171 in blink::ThreadState::MarkPhaseAdvanceMarking(class base::TimeTicks) third_party/blink/renderer/platform/heap/thread_state.cc:1713:17
#5 0x7ffec51745db in blink::ThreadState::RunAtomicPause(enum blink::BlinkGC::StackState,enum blink::BlinkGC::MarkingType,enum blink::BlinkGC::SweepingType,enum blink::BlinkGC::GCReason) third_party/blink/renderer/platform/heap/thread_state.cc:1615:7
#6 0x7ffec5163feb in blink::ThreadState::CollectGarbage(enum blink::BlinkGC::StackState,enum blink::BlinkGC::MarkingType,enum blink::BlinkGC::SweepingType,enum blink::BlinkGC::GCReason) third_party/blink/renderer/platform/heap/thread_state.cc:1556:5
#7 0x7ffec5168f0d in blink::ThreadState::ScheduleGCIfNeeded(void) third_party/blink/renderer/platform/heap/thread_state.cc:625:7
#8 0x7ffec51542cc in blink::LargeObjectArena::AllocateLargeObjectPage(unsigned __int64,unsigned __int64) third_party/blink/renderer/platform/heap/heap_page.cc:1001:21
#9 0x7ffec51541b0 in blink::BaseArena::AllocateLargeObject(unsigned __int64,unsigned __int64) third_party/blink/renderer/platform/heap/heap_page.cc:352:46
#10 0x7ffec515807b in blink::NormalPageArena::OutOfLineAllocate(unsigned __int64,unsigned __int64) third_party/blink/renderer/platform/heap/heap_page.cc:917:12

Assigning to keishi@ who is also working on incremental marking in Blink.

ClusterFuzz has detected this issue as fixed in range 569235:569236.

Detailed report: https://clusterfuzz.com/testcase?key=6109816167333888

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Use-after-poison READ 8
Crash Address: 0x7ea34e1fda40
Crash State:
  v8::internal::LoopChoiceNode::Accept
  blink::MarkingVisitor::Visit
  blink::ThreadHeap::AdvanceMarkingStackProcessing
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=569235:569236

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6109816167333888

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6109816167333888 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

I don't think this is fixed, is it?

keishi: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

keishi: Uh oh! This issue still open and hasn't been updated in the last 29 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

keishi@, jgruber@, ping from the security sheriff. Could you please post an update on status of this issue?

M69 Stable promotion is coming VERY soon. Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and request a merge into the release branch ASAP. Thank you.

+awhalley@ (Security TPM), this is M69 stable blocker and M69 stable release is coming very soon. PTAL. Thank you.

This looks like a spurious crash in Blink GC to me. Looking at crash history, it occurred only once on Jun 16. Given that this is unreproducible and the crash rate is very low, I don't think this needs to be a stable blocker.

keishi@, any updates from the blink side?

I haven't been able to reproduce this locally or on other bots. So I haven't been able to do anything for this. 
Removing rbs

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Closing as won't fix / cannot reproduce.  Thanks for looking at it

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz testcase 6109816167333888 appears to be flaky, updating reproducibility label.