find it could not find any suspected CLs, requesting skia team to check the issue and update.

Providing Findit results for internal purpose:
-------------------------------------------------
Suspected CLs	Findit could not find any suspected CLs.

Suspected Project: chromium-skia
Suspected Component: Internals>Skia

Adding Cary and Hal..I don't see recent suspicious changes but the stack is pretty deep in Skia.

I've isolated the error to:

    SkPath path;
    path.setFillType(SkPath::kEvenOdd_FillType);
path.moveTo(SkBits2Float(0x41e80000), SkBits2Float(0x43bde212));  // 29, 379.766f
path.lineTo(SkBits2Float(0x41e80000), SkBits2Float(0x43bdc7ef));  // 29, 379.562f
path.conicTo(SkBits2Float(0x42a5861e), SkBits2Float(0x43c61f86), SkBits2Float(0x430b0610), SkBits2Float(0x43c61f86), SkBits2Float(0x3f7d23f3));  // 82.7619f, 396.246f, 139.024f, 396.246f, 0.98883f
path.conicTo(SkBits2Float(0x42a58e20), SkBits2Float(0x43c61f86), SkBits2Float(0x41e80000), SkBits2Float(0x43bde212), SkBits2Float(0x3f7d2cf5));  // 82.7776f, 396.246f, 29, 379.766f, 0.988967f
path.close();

    SkPath path1(path);
    path.setFillType(SkPath::kWinding_FillType);
path.moveTo(SkBits2Float(0xc36c7bd8), SkBits2Float(0xc3a31d72));  // -236.484f, -326.23f
path.lineTo(SkBits2Float(0xc367a4ae), SkBits2Float(0xc3a31d72));  // -231.643f, -326.23f
path.lineTo(SkBits2Float(0x430b0610), SkBits2Float(0x43c61f86));  // 139.024f, 396.246f
path.lineTo(SkBits2Float(0xc36c7bd8), SkBits2Float(0x43c61f86));  // -236.484f, 396.246f

    SkPath path2(path);
    Op(path1, path2, kIntersect_SkPathOp);

I'm working on it.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/2bec26a71698105729c6a7cb0163f499b4361840

commit 2bec26a71698105729c6a7cb0163f499b4361840
Author: caryclark <caryclark@google.com>
Date: Thu May 26 16:01:47 2016

fix security bug

This fix is a tradeoff. It changes intersection to
treat a case where one coincident run is intersected at one point
and the other edge is not as continuing to be a span.

The old code tried to treat this as a single point.
The old code is probably right, but this change alone
made the data structures inconsistent. Later, extending
the coincident runs would fail by incorrectly discarding
the single point intersection.

As a result, this fixes the security test and one other, but
makes a different test fail. Isolating the failure uncovered
a reduced case that fails with and without the change, so
there are more serious problems here. Those problems are
addressed in a separate CL.

Many of the test edits below remove ill-thought out debugging
messaging that fire off global state, which isn't usable
in a multi-threaded test environment.

In the end, with this fix, all existing tests (modulo one
new failure and one new non-failure) pass in debug and
in the extended release test suites.

TBR=reed@google.com
BUG= 614248 
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2018513003

Review-Url: https://codereview.chromium.org/2018513003

[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/src/pathops/SkPathOpsTSect.h
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tests/PathOpsExtendedTest.cpp
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tests/PathOpsExtendedTest.h
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tests/PathOpsFuzz763Test.cpp
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tests/PathOpsOpCircleThreadedTest.cpp
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tests/PathOpsOpCubicThreadedTest.cpp
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tests/PathOpsOpLoopThreadedTest.cpp
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tests/PathOpsOpTest.cpp
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tests/PathOpsSimplifyQuadThreadedTest.cpp
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tests/PathOpsSimplifyTest.cpp
[modify] https://crrev.com/2bec26a71698105729c6a7cb0163f499b4361840/tools/pathops_visualizer.htm

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e991941f843b544a266390c8558bc8e59315b547

commit e991941f843b544a266390c8558bc8e59315b547
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Thu May 26 20:19:22 2016

Roll src/third_party/skia/ 99e22fbe5..0e5b249e5 (3 commits).

https://chromium.googlesource.com/skia.git/+log/99e22fbe569e..0e5b249e549a

$ git log 99e22fbe5..0e5b249e5 --date=short --no-merges --format='%ad %ae %s'
2016-05-26 msarett Add exact version of qcms used by Chrome for testing and comparison
2016-05-26 herb Srcover for sprite blitters.
2016-05-26 caryclark fix security bug

BUG= 614248 

CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
TBR=kjlubick@google.com

Review-Url: https://codereview.chromium.org/2011083002
Cr-Commit-Position: refs/heads/master@{#396268}

[modify] https://crrev.com/e991941f843b544a266390c8558bc8e59315b547/DEPS

ClusterFuzz has detected this issue as fixed in range 396253:396347.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6230647417077760

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000000000b0
Crash State:
  SkTSect<SkDConic, SkDConic>::binarySearchCoin
  SkTSect<SkDConic, SkDConic>::extractCoincident
  SkTSect<SkDConic, SkDConic>::BinarySearch
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=144946:145047
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=396253:396347

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95mS3oNnlrnTPctX3nwKwrAzU6JAfRLVul7MOyrjNHeQpI8o6j9J0QfzpxscfyQsIW6J0pVudFfsWPrVACPM_r1DIKcjJZU9oim-Nm_g3zA2IFKB2iTfzxvNA2NFqc8Y_iR-261AH2JcqoMPsilMIupiNMYAQ
<script>
   try {
__f_63();
} catch(e) { print(); }
  </script>
  <style>#dom-fuzz-15650001 {
    }
body {
    border: medium green solid;
    motion-path: path("M0 0H 400");
    border-bottom-left-radius: 500px;
    border-bottom-width: 0;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot