Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/c41b2d08296c7d720343f716641e40c9c2f68ad0 (Enable display compositor pixel dumps by default.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

I'm reducing this to pri-2, as this issue applies to layout test code only. Let me know if you disagree. I'm also working through reproducing it, and having some trouble (https://crbug.com/899943).

Removing from the security queue since it's test only (based on c#7).

Issue 899450 has been merged into this issue.

Issue 900286 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/943b8b0f0206d86de535fddfe4a798d4ae7f7a97

commit 943b8b0f0206d86de535fddfe4a798d4ae7f7a97
Author: Mason Freed <masonfreed@chromium.org>
Date: Wed Oct 31 16:08:52 2018

Check the frame tree for each frame before compositing.

This fixes several clusterfuzz issues, which are caused by frames
being freed in between calls to CompositeWithRaster(). With this CL,
a fresh list of frames is requested and checked for the next one,
to avoid using deleted frames. Note that with this CL:
  https://chromium-review.googlesource.com/c/chromium/src/+/1252141
those calls are asynchronous. Also note that this CL:
  https://chromium-review.googlesource.com/c/chromium/src/+/1213864
caused this code to get called much more frequently, for all layout
tests.

Here are the clusterfuzz issues:
https://clusterfuzz.com/v2/testcase-detail/5701500434907136
https://clusterfuzz.com/v2/testcase-detail/4929420383748096
https://clusterfuzz.com/v2/testcase-detail/4996950557196288

Bug: 900087,  899465 , 899450
Change-Id: I70fc7c723b2118f4796289fe9b7272c42b6e50e5
Reviewed-on: https://chromium-review.googlesource.com/c/1308038
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Reviewed-by: vmpstr <vmpstr@chromium.org>
Commit-Queue: Mason Freed <masonfreed@chromium.org>
Cr-Commit-Position: refs/heads/master@{#604274}
[modify] https://crrev.com/943b8b0f0206d86de535fddfe4a798d4ae7f7a97/content/shell/browser/layout_test/blink_test_controller.cc
[modify] https://crrev.com/943b8b0f0206d86de535fddfe4a798d4ae7f7a97/third_party/WebKit/LayoutTests/TestExpectations

ClusterFuzz testcase 6010230465626112 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Several bugs got merged into this one, and all others are fixed. But this specific one (https://clusterfuzz.com/v2/testcase-detail/4929420383748096) still reproduces. So I'm opening this bug back up.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/41c91bdb0ea2e66e1bd47fa317425e9d35d25c48

commit 41c91bdb0ea2e66e1bd47fa317425e9d35d25c48
Author: Mason Freed <masonfreed@chromium.org>
Date: Tue Nov 06 22:34:11 2018

Change DCHECK() to NOTREACHED()

This changes the prior DCHECK() on double-calls to CompositeAllFramesThen()
into a NOTREACHED/return. Previously, it was possible, in release builds,
to start another composite while the previous one was still running, causing
use-after-free situations. This doesn't normally happen in layout testing,
and can't happen at all in a Chrome build, but this protects from
ClusterFuzz issues.
See https://clusterfuzz.com/v2/testcase-detail/4929420383748096

Bug:  899465 
Change-Id: I2acd1128bf808b035850c9f36779326f18585864
Reviewed-on: https://chromium-review.googlesource.com/c/1311131
Commit-Queue: Mason Freed <masonfreed@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Cr-Commit-Position: refs/heads/master@{#605856}
[modify] https://crrev.com/41c91bdb0ea2e66e1bd47fa317425e9d35d25c48/content/shell/browser/layout_test/blink_test_controller.cc
[modify] https://crrev.com/41c91bdb0ea2e66e1bd47fa317425e9d35d25c48/content/shell/browser/layout_test/blink_test_controller.h

ClusterFuzz has detected this issue as fixed in range 605831:605858.

Detailed report: https://clusterfuzz.com/testcase?key=4929420383748096

Fuzzer: inferno_layout_test_fuzzer
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x11b4db3c38c0
Crash State:
  content::BlinkTestController::CompositeNodeQueueThen
  content::BlinkTestController::CompositeAllFramesThen
  content::BlinkTestController::OnInitiateCaptureDump
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=603125:603131
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=605831:605858

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4929420383748096

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Fixed.