Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/d540c125c10e32575ff60069ee0ca91fa9979898 (New implementation of MessagePopupCollection).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Fix under review https://crrev.com/c/1158118

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/de64e7eb67b9acd46ad60cea2df2631e25285ed0

commit de64e7eb67b9acd46ad60cea2df2631e25285ed0
Author: Tetsui Ohkubo <tetsui@chromium.org>
Date: Thu Aug 02 06:06:52 2018

Fix MessagePopupCollection asan failure.

Rather than closing popups immediately, we should close the popups with
animation and let MessagePopupCollection::Update() close them
eventually.

Ideally MarkAllPopupsShown is problematic and this should be cleaned up
along with UiController, but for now the fix should be acceptable as it
just replicates the behavior of old MessagePopupCollection.

Steps to repro:
1. Create a notification
2. Click on a notification

TEST=manual(asan build)
BUG= 869593 , 869716 

Change-Id: Ifdfc7c2a362727740401e6e16845d8d770877730
Reviewed-on: https://chromium-review.googlesource.com/1158118
Reviewed-by: Yoshiki Iguchi <yoshiki@chromium.org>
Commit-Queue: Tetsui Ohkubo <tetsui@chromium.org>
Cr-Commit-Position: refs/heads/master@{#580087}
[modify] https://crrev.com/de64e7eb67b9acd46ad60cea2df2631e25285ed0/chrome/browser/notifications/message_center_notification_manager.cc
[modify] https://crrev.com/de64e7eb67b9acd46ad60cea2df2631e25285ed0/ui/message_center/views/message_popup_collection.cc
[modify] https://crrev.com/de64e7eb67b9acd46ad60cea2df2631e25285ed0/ui/message_center/views/message_popup_collection_unittest.cc

ClusterFuzz has detected this issue as fixed in range 580086:580087.

Detailed report: https://clusterfuzz.com/testcase?key=5315975902396416

Fuzzer: inferno_flicker
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x6190003469a8
Crash State:
  message_center::NotificationList::GetNotification
  message_center::NotificationList::GetNotificationDelegate
  message_center::MessageCenterImpl::ClickOnNotification
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=579348:579349
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_chromeos&range=580086:580087

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5315975902396416

Additional requirements: Requires Gestures

Additional requirements: Requires HTTP

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5315975902396416 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot