From findit tool:

Author: erikchen
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/ed5a6bb9f4321670482acc32a7cb4246a1e22f25
Time: Fri Apr 29 01:54:39 2016
Lines 730-733 of file gpu_command_buffer_stub.cc which potentially caused crash are changed in this cl (frame #2, "gpu::GpuCommandBufferStub::OnReturnFrontBuffer").

Lines 4275 of file gles2_cmd_decoder.cc which potentially caused crash are changed in this cl (frame #1, "gpu::gles2::GLES2DecoderImpl::ReturnFrontBuffer").
Minimum distance from crash line to modified line: 0. (file: gpu_command_buffer_stub.cc, crashed on: 730, modified: 730).

Suspected Project: chromium
Suspected Component: Internals>GPU>Internals

Stack trace:
"""
==13451==ERROR: AddressSanitizer: SEGV on unknown address 0x00000008 (pc 0xf165ecc6 bp 0xff94af88 sp 0xff94af20 T0)
==13451==The signal is caused by a READ memory access.
==13451==Hint: address points to the zero page.
SCARINESS: 10 (null-deref)
    #0 0xf165ecc5 in texture gpu/command_buffer/service/texture_manager.h:626:31
    #1 0xf165ecc5 in gpu::gles2::GLES2DecoderImpl::ReturnFrontBuffer(gpu::Mailbox const&, bool) gpu/command_buffer/service/gles2_cmd_decoder.cc:4275
    #2 0xed6c91b1 in gpu::GpuCommandBufferStub::OnReturnFrontBuffer(gpu::Mailbox const&, gpu::SyncToken const&, bool) gpu/ipc/service/gpu_command_buffer_stub.cc:733:3
    #3 0xed6c88d4 in DispatchToMethodImpl<gpu::GpuCommandBufferStub *, void (gpu::GpuCommandBufferStub::*)(const gpu::Mailbox &, const gpu::SyncToken &, bool), gpu::Mailbox, gpu::SyncToken, bool, 0, 1, 2> base/tuple.h:166:3
    #4 0xed6c88d4 in DispatchToMethod<gpu::GpuCommandBufferStub *, void (gpu::GpuCommandBufferStub::*)(const gpu::Mailbox &, const gpu::SyncToken &, bool), gpu::Mailbox, gpu::SyncToken, bool> base/tuple.h:173
    #5 0xed6c88d4 in DispatchToMethod<gpu::GpuCommandBufferStub, void (gpu::GpuCommandBufferStub::*)(const gpu::Mailbox &, const gpu::SyncToken &, bool), void, std::__1::tuple<gpu::Mailbox, gpu::SyncToken, bool> > ipc/ipc_message_templates.h:26
    #6 0xed6c88d4 in bool IPC::MessageT<GpuCommandBufferMsg_ReturnFrontBuffer_Meta, std::__1::tuple<gpu::Mailbox, gpu::SyncToken, bool>, void>::Dispatch<gpu::GpuCommandBufferStub, gpu::GpuCommandBufferStub, void, void (gpu::GpuCommandBufferStub::*)(gpu::Mailbox const&, gpu::SyncToken const&, bool)>(IPC::Message const*, gpu::GpuCommandBufferStub*, gpu::GpuCommandBufferStub*, void*, void (gpu::GpuCommandBufferStub::*)(gpu::Mailbox const&, gpu::SyncToken const&, bool)) ipc/ipc_message_templates.h:121
    #7 0xed6bd763 in gpu::GpuCommandBufferStub::OnMessageReceived(IPC::Message const&) gpu/ipc/service/gpu_command_buffer_stub.cc:299:5
    #8 0xec8352c3 in IPC::MessageRouter::RouteMessage(IPC::Message const&) ipc/message_router.cc:52:10
    #9 0xed69ef6d in gpu::GpuChannel::HandleMessageHelper(IPC::Message const&) gpu/ipc/service/gpu_channel.cc:810:15
    #10 0xed69ec6e in gpu::GpuChannel::HandleMessage(scoped_refptr<gpu::GpuChannelMessageQueue> const&) gpu/ipc/service/gpu_channel.cc:792:3
    #11 0xed6a9b70 in Run<const scoped_refptr<gpu::GpuChannelMessageQueue> &> base/bind_internal.h:181:12
    #12 0xed6a9b70 in MakeItSo<base::WeakPtr<gpu::GpuChannel>, const scoped_refptr<gpu::GpuChannelMessageQueue> &> base/bind_internal.h:334
    #13 0xed6a9b70 in base::internal::Invoker<base::IndexSequence<0u, 1u>, base::internal::BindState<base::internal::RunnableAdapter<void (gpu::GpuChannel::*)(scoped_refptr<gpu::GpuChannelMessageQueue> const&)>, void (gpu::GpuChannel*, scoped_refptr<gpu::GpuChannelMessageQueue> const&), base::WeakPtr<gpu::GpuChannel>, scoped_refptr<gpu::GpuChannelMessageQueue> const&>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (gpu::GpuChannel::*)(scoped_refptr<gpu::GpuChannelMessageQueue> const&)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:372
    #14 0xd62af43b in Run base/callback.h:397:12
    #15 0xd62af43b in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
    #16 0xd60e3e71 in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:3
    #17 0xd60e53b0 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:493:5
    #18 0xd60e6dfd in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:610:13
    #19 0xd62a7f1c in HandleDispatch base/message_loop/message_pump_glib.cc:267:7
    #20 0xd62a7f1c in base::(anonymous namespace)::WorkSourceDispatch(_GSource*, int (*)(void*), void*) base/message_loop/message_pump_glib.cc:109
    #21 0xd388683d in g_main_context_wait
"""

Assuming this is a 32-bit ARM system, the crash is a NULL dereference on offscreen_saved_color_texture_info_->texture(). 

Given that the previous lines check create offscreen_saved_color_texture_info_ if it doesn't exist, the 2 most likely possibilities are:
1. Some type of threading bug.
2. Memory corruption in the three preceeding lines:
"""
    offscreen_saved_color_texture_info_ = TextureRef::Create(                        
        texture_manager(), 0, service_id);                                           
    texture_manager()->SetTarget(offscreen_saved_color_texture_info_.get(),     
                                 GL_TEXTURE_2D);                                     
    UpdateParentTextureInfo();       
"""

I'll look into this further on Monday.

I doubt it's a threading bug, we hardly use threads in the GPU process (exceptions: IPC routing/scheduling and a handful of video decoding IPCs).

ClusterFuzz has detected this issue as fixed in range 390954:390990.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5982783201083392

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000008
Crash State:
  gpu::gles2::GLES2DecoderImpl::ReturnFrontBuffer
  gpu::GpuCommandBufferStub::OnReturnFrontBuffer
  bool IPC::MessageT<GpuCommandBufferMsg_ReturnFrontBuffer_Meta, std::__1::tuple<g
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=390527:390610
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=390954:390990

Minimized Testcase (0.46 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97WheqjkHP9l_BDxJGexrvAYKjkvrkwmNJJ8fD_FPSTGLD5F990_X49o2jhhFWcbkqAorc04npmgbHtslm3JdF7GxQLL3T1gRk996scVIoOOzIAvK9rNsfATMFjaxOjAS7Y07oSNjrotdK3EpBW4LBannYOXw

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot