The result is a list of CLs that change the crashed files.

Author: senorblanco
Project: chromium-skia
Changelist: https://chromium.googlesource.com/skia.git/+/531237ef3aaf0d3c86e0853fde3b4c8f517bc662
Time: Thu Jun 02 18:36:48 2016
Lines 410, 418-438, 1255-1257 of file GrTessellator.cpp which potentially caused crash are changed in this cl (frame #0, ""; frame #1, "tessellate").
Minimum distance from crash line to modified line: 0. (file: GrTessellator.cpp, crashed on: 1255, modified: 1255).

Suspected Project: chromium-skia
Suspected Component: Internals>GPU>Rasterization
-------------------------------------------------

@senorblanco: Hey, would you mind checking the above issue as per suspecting CL ?

Marking the above issue as RB-Beta as this affect Head.

Appreciate your help.

Here's a reduction which is also a little easier to read. Can repro on Linux with --enable-gpu-rasterization.

Note to self: capturing an SKP and playing back in Skia's SampleApp w/--msaa 8 does not crash, for some reason.

Deleted: tess-crash-reduction.html 143 bytes

tess-crash-reduction.html 143 bytes View Download

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/93e3fff79eaaa86bc2fb740a42111a074ccc73ab

commit 93e3fff79eaaa86bc2fb740a42111a074ccc73ab
Author: senorblanco <senorblanco@chromium.org>
Date: Tue Jun 07 19:36:00 2016

Fix for rare crash in Poly::addEdge().

Don't add an edge if the bottom vertex was already added, or
if an island vertex has a left poly but no right poly.

(Sorry for the lack of test, but the only reduction I could create was still a huge path and only crashes in Chrome.)

BUG= 617907 
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2043873005

Review-Url: https://codereview.chromium.org/2043873005

[modify] https://crrev.com/93e3fff79eaaa86bc2fb740a42111a074ccc73ab/src/gpu/GrTessellator.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e8eaf4b03877b103c5e477f382e16cd3e9af9eec

commit e8eaf4b03877b103c5e477f382e16cd3e9af9eec
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Tue Jun 07 23:34:59 2016

Roll src/third_party/skia/ 3db202812..ddc2cd6a1 (5 commits).

https://chromium.googlesource.com/skia.git/+log/3db2028126e1..ddc2cd6a1f55

$ git log 3db202812..ddc2cd6a1 --date=short --no-merges --format='%ad %ae %s'
2016-06-07 csmartdalton Fix dashing bug where hwaa was unintentionally disabled
2016-06-07 brianosman Switch to a whitelist for manual mip-map generation
2016-06-07 liyuqian Implement Raster Backend on Android Viewer App
2016-06-07 senorblanco Fix for rare crash in Poly::addEdge().
2016-06-07 bsalomon Make GrShape use the original path when path effect fails.

BUG= 617907 

CQ_INCLUDE_TRYBOTS=tryserver.blink:linux_blink_rel
TBR=mtklein@google.com

Review-Url: https://codereview.chromium.org/2045983003
Cr-Commit-Position: refs/heads/master@{#398416}

[modify] https://crrev.com/e8eaf4b03877b103c5e477f382e16cd3e9af9eec/DEPS

This should be fixed, but ClusterFuzz doesn't seem to have noticed the fix yet. Is this delay typical, or is the fix not working?

Looks like someone kicked off a new test, so we should know shortly (I don't know the typical delay, just know it seems typical and how to kick off a new run!)

ClusterFuzz has detected this issue as fixed in range 398351:398496.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6672256600375296

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000028
Crash State:
  Poly::addEdge
  path_to_polys
  GrTessellator::PathToTriangles
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=397536:397672
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=398351:398496

Minimized Testcase (0.29 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96pI38uNOs4blyZVrdT1921E9KVIcmPsvhVuY40tZNp4q2v_G7FpSvq5NcuyvqHEtt0YjaaDeKGSvmUSnvjGY2NnOR4-yi9q43HSJmbdvOcKdy57tjDbgo5q6BpcjSCAL6BiRyTi-Y0fwc0PmRwtRNYJhg3jw
<style>
*{outline-style:auto;text-transform:lowercase;border:thin inset transparent;}
.CLASS13{display:inline;border-image:initial;}
*:valid{-webkit-animation-name:none,"keyframe-5";-webkit-text-stroke:50.8mm;</style>
<rb dir="rtl">
<form class="CLASS13" title="C">
<textarea cols="-100">
C b


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

@senorblanco: Thanks a lot for the quick turnaround.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot