This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Major regressions from https://chromium-review.googlesource.com/c/chromium/src/+/1102690, reverting.

This was not introduced by https://chromium-review.googlesource.com/c/chromium/src/+/1102690 (it was already there), and reverting it didn't help. Re-opening.

The blamed range is https://chromium.googlesource.com/chromium/src/+log/81e42d0ddbf00b81d890458f59a18f1eb398c4aa..44027d41f779d62af9def030160ad2015c0d851f?pretty=fuller&n=10000 (2 commits in March 2018), but I tested, and the crasher predates that too. I'll redo the task.

Redo now blames - https://chromium.googlesource.com/chromium/src/+/0aca50f1552c882bc72ed5c419085fa975847a9c

futhark@, can you please take a look.

No, that CLs just using a different wrapper method to enforce const return values.

This is an issue where BreakingContext::current_style_ is holding on to ComputedStyle without refcounting it where a hack in TextSizeAdjuster trying to keep them alive seemingly fails.

I reproduced this with content shell on Mac running with --expose-internals-for-testing, building with this args.gn:

enable_ipc_fuzzer = true
enable_nacl = false
ffmpeg_branding = "Chrome"
is_asan = true
is_component_build = false
is_debug = false
proprietary_codecs = true
sanitizer_coverage_flags = "trace-pc-guard"
strip_absolute_paths_from_debug_symbols = true
v8_enable_verify_heap = true
use_goma = true

Emil, do you know who would know the BreakingContext lifetime and why we don't refcount ComputedStyle there?

BreakingContext hasn't changed much in years and much of it pre-dates the use of reference counting.

Getting a regression range for this would be *very* helpful.

Switching to ref-counting seems like a good idea but that is a much bigger change.

Was my change after all. Sorry about the noise.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b

commit b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b
Author: Rune Lillesveen <futhark@chromium.org>
Date: Thu Jun 28 18:03:34 2018

Keep reference to child ComputedStyle on stack.

Apparently, the ComputedStyle on a child may change during
LayoutBlock::ComputeBlockPreferredLogicalWidths. We used to keep a
reference to the ComputedStyle on the stack before [1]. Re-introducing
scoped_refptr here.

The reduced test exposed a DCHECK problem tracked by 389648. Instead of
adding an almost identical new test, with another TestExpections line,
we add writing-mode to the existing test which would expose the ASAN
issue as well.

[1] https://crrev.com/0aca50f1552c882bc72ed5c419085fa975847a9c

Bug:  853538 ,  389648 
Change-Id: I5cb09c8cd9a7ae6d0621758f4690fce2abbb8096
Reviewed-on: https://chromium-review.googlesource.com/1117697
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Reviewed-by: Morten Stenshorne <mstensho@chromium.org>
Cr-Commit-Position: refs/heads/master@{#571199}
[modify] https://crrev.com/b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b/third_party/WebKit/LayoutTests/fast/text-autosizing/table-inflation-crash.html
[modify] https://crrev.com/b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b/third_party/blink/renderer/core/layout/layout_block.cc

ClusterFuzz has detected this issue as fixed in range 571196:571200.

Detailed report: https://clusterfuzz.com/testcase?key=5352322314797056

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Heap-use-after-free READ 16
Crash Address: 0x61500120ddb8
Crash State:
  blink::LayoutBlock::ComputeBlockPreferredLogicalWidths
  blink::LayoutBlock::ComputeIntrinsicLogicalWidths
  blink::LayoutBlock::ComputePreferredLogicalWidths
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=537333:537341
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=571196:571200

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5352322314797056

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Awhalley@ - Can you please confirm if this is required for M68?

abdulsyed@ - yep, relatively recent regression from 66, please take for 68 - thanks!

Approved - branch:3440

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e98488a6c1ccaef81d1d0ded83d9b41752597e74

commit e98488a6c1ccaef81d1d0ded83d9b41752597e74
Author: Rune Lillesveen <futhark@chromium.org>
Date: Tue Jul 03 20:25:10 2018

Keep reference to child ComputedStyle on stack.

Apparently, the ComputedStyle on a child may change during
LayoutBlock::ComputeBlockPreferredLogicalWidths. We used to keep a
reference to the ComputedStyle on the stack before [1]. Re-introducing
scoped_refptr here.

The reduced test exposed a DCHECK problem tracked by 389648. Instead of
adding an almost identical new test, with another TestExpections line,
we add writing-mode to the existing test which would expose the ASAN
issue as well.

[1] https://crrev.com/0aca50f1552c882bc72ed5c419085fa975847a9c

Bug:  853538 ,  389648 
Change-Id: I5cb09c8cd9a7ae6d0621758f4690fce2abbb8096
Reviewed-on: https://chromium-review.googlesource.com/1117697
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Reviewed-by: Morten Stenshorne <mstensho@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#571199}(cherry picked from commit b0a9cfb77595d3291e9d94beaa0ca3fef68bd76b)
Reviewed-on: https://chromium-review.googlesource.com/1125179
Cr-Commit-Position: refs/branch-heads/3440@{#594}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[modify] https://crrev.com/e98488a6c1ccaef81d1d0ded83d9b41752597e74/third_party/WebKit/LayoutTests/fast/text-autosizing/table-inflation-crash.html
[modify] https://crrev.com/e98488a6c1ccaef81d1d0ded83d9b41752597e74/third_party/blink/renderer/core/layout/layout_block.cc

I merged this on behalf of futhark, who's OOO.

Thank mstensho@!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot