Looks very similar to  bug 599458 .

I can repro on a Linux msan build + attached minimized test + these flags:

--ignore-gpu-blacklist --use-gl=osmesa --enable-display-list-2d-canvas

The interesting part is the uninitialized allocation stack, which points to C2D copy-on-write:

Uninitialized value was created by a heap allocation
    #0 0x7f58cedfa9b2 in __interceptor_malloc
    #1 0x7f58e291a966 in base::UncheckedMalloc(unsigned long, void**) base/process/memory_linux.cc:210:13
    #2 0x7f58e4c182a7 in sk_malloc_nothrow skia/ext/SkMemory_new_handler.cpp:69:19
    #3 0x7f58e4c182a7 in sk_malloc_flags(unsigned long, unsigned int) skia/ext/SkMemory_new_handler.cpp:81
    #4 0x7f58e4db4b59 in operator() third_party/skia/src/core/SkMallocPixelRef.cpp:93:55
    #5 0x7f58e4db4b59 in __invoke third_party/skia/src/core/SkMallocPixelRef.cpp:93
    #6 0x7f58e4db4b59 in SkMallocPixelRef third_party/skia/src/core/SkMallocPixelRef.cpp:186
    #7 0x7f58e4db4b59 in NewUsing third_party/skia/src/core/SkMallocPixelRef.cpp:87
    #8 0x7f58e4db4b59 in SkMallocPixelRef::NewAllocate(SkImageInfo const&, unsigned long, SkColorTable*) third_party/skia/src/core/SkMallocPixelRef.cpp:94
    #9 0x7f58e4c77b76 in SkBitmap::HeapAllocator::allocPixelRef(SkBitmap*, SkColorTable*) third_party/skia/src/core/SkBitmap.cpp:444:22
    #10 0x7f58e4c722ba in SkBitmap::tryAllocPixels(SkBitmap::Allocator*, SkColorTable*) third_party/skia/src/core/SkBitmap.cpp:282:23
    #11 0x7f58e50c079b in allocPixels third_party/skia/include/core/SkBitmap.h:399:20
    #12 0x7f58e50c079b in allocPixels third_party/skia/include/core/SkBitmap.h:375
    #13 0x7f58e50c079b in SkSurface_Raster::onCopyOnWrite(SkSurface::ContentChangeMode) third_party/skia/src/image/SkSurface_Raster.cpp:151
    #14 0x7f58e50be49d in SkSurface_Base::aboutToDraw(SkSurface::ContentChangeMode) third_party/skia/src/image/SkSurface.cpp:104:19
    #15 0x7f58e4cfa9a8 in predrawNotify third_party/skia/src/core/SkCanvas.cpp:169:23
    #16 0x7f58e4cfa9a8 in predrawNotify third_party/skia/include/core/SkCanvas.h:1415
    #17 0x7f58e4cfa9a8 in SkCanvas::onDrawRect(SkRect const&, SkPaint const&) third_party/skia/src/core/SkCanvas.cpp:2157
    #18 0x7f58e4f507f0 in draw<SkRecords::DrawRect> third_party/skia/src/core/SkRecordDraw.cpp:113:1
    #19 0x7f58e4f507f0 in operator()<SkRecords::DrawRect> third_party/skia/src/core/SkRecordDraw.h:62
    #20 0x7f58e4f507f0 in decltype ({parm#1}((SkRecords::NoOp)())) SkRecord::Record::visit<SkRecords::Draw&>(SkRecords::Draw&) const third_party/skia/src/core/SkRecord.h:170
    #21 0x7f58e4f4ac92 in visit<SkRecords::Draw &> third_party/skia/src/core/SkRecord.h:51:28
    #22 0x7f58e4f4ac92 in SkRecordDraw(SkRecord const&, SkCanvas*, SkPicture const* const*, SkDrawable* const*, int, SkBBoxHierarchy const*, SkPicture::AbortCallback*) third_party/skia/src/core/SkRecordDraw.cpp:55
    #23 0x7f58e5662793 in SkBigPicture::playback(SkCanvas*, SkPicture::AbortCallback*) const third_party/skia/src/core/SkBigPicture.cpp:37:5
    #24 0x7f58ee81bda3 in blink::Canvas2DLayerBridge::flushRecordingOnly() third_party/WebKit/Source/platform/graphics/Canvas2DLayerBridge.cpp:706:49
    #25 0x7f58ee81dbe6 in blink::Canvas2DLayerBridge::flush() third_party/WebKit/Source/platform/graphics/Canvas2DLayerBridge.cpp:718:5
    #26 0x7f58ee826b60 in blink::Canvas2DLayerBridge::newImageSnapshot(blink::AccelerationHint, blink::SnapshotReason) third_party/WebKit/Source/platform/graphics/Canvas2DLayerBridge.cpp:985:5
    #27 0x7f58dc34053f in blink::Canvas2DImageBufferSurface::newImageSnapshot(blink::AccelerationHint, blink::SnapshotReason) third_party/WebKit/Source/platform/graphics/Canvas2DImageBufferSurface.h:87:121
    #28 0x7f58ee8d6e58 in blink::ImageBufferSurface::draw(blink::GraphicsContext&, blink::FloatRect const&, blink::FloatRect const&, SkXfermode::Mode) third_party/WebKit/Source/platform/graphics/ImageBufferSurface.cpp:73:32
    #29 0x7f58ee8d3083 in blink::ImageBuffer::draw(blink::GraphicsContext&, blink::FloatRect const&, blink::FloatRect const*, SkXfermode::Mode) third_party/WebKit/Source/platform/graphics/ImageBuffer.cpp:285:16
    #30 0x7f58dc327ed4 in blink::HTMLCanvasElement::paint(blink::GraphicsContext&, blink::LayoutRect const&) third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp:485:23
    #31 0x7f58deb6204d in blink::HTMLCanvasPainter::paintReplaced(blink::PaintInfo const&, blink::LayoutPoint const&) third_party/WebKit/Source/core/paint/HTMLCanvasPainter.cpp:64:13

Based on the regression range and test (canvas/getImageData), this was likely introduced by https://chromium.googlesource.com/chromium/src/+/33732aec33c88cb18c212544da7d0a4ba53cd9ce.

Punting to junov to check whether anything fishy is going on in C2D.  If it turns out to be a Skia problem, feel free to reassign to me.

Deleted: minimized-fuzz.html 341 bytes

minimized-fuzz.html 341 bytes View Download

This was probably caused by my change https://codereview.chromium.org/2063473002
I just landed a patch to disable that optimization due to memory errors.

Speculative fix is in the pipe: https://codereview.chromium.org/2144573003/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/892c18d6f403629c7ba584e37d150f2334baa80c

commit 892c18d6f403629c7ba584e37d150f2334baa80c
Author: junov <junov@chromium.org>
Date: Wed Jul 13 02:39:05 2016

Temporarily disabling 2d canvas getImageData optimization

Disabling the optimization that makes getImageData disable
GPU acceleration in order to resolve a memory error.

BUG=626188, 627434 

Review-Url: https://codereview.chromium.org/2144573003
Cr-Commit-Position: refs/heads/master@{#404919}

[modify] https://crrev.com/892c18d6f403629c7ba584e37d150f2334baa80c/third_party/WebKit/Source/modules/canvas2d/CanvasRenderingContext2DTest.cpp
[modify] https://crrev.com/892c18d6f403629c7ba584e37d150f2334baa80c/third_party/WebKit/Source/platform/graphics/ExpensiveCanvasHeuristicParameters.h

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 404895:404947.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6731509176467456

Fuzzer: inferno_canvas_wrecker
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sk_sse41::blit_row_s32a_opaque
  Sprite_D32_S32::blitRect
  SkScan::FillIRect
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=401651:401798
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=404895:404947

Minimized Testcase (0.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96qgOxsxNfJA7VAMZulfpIqPZEK-HgzGoD9DHZ3XN-cAhI_X2rMvMzgpLAGA91aFUM42jytRX7A_JEewyyg7-OLkiM1WCmJsPi-tugvXUku4DLNnAFe2qEUTRRa005aVJ9o-CZPA1vY9aj7Rm7fkdr5uLBu_w?testcase_id=6731509176467456

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 404895:404947.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6731509176467456

Fuzzer: inferno_canvas_wrecker
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  sk_sse41::blit_row_s32a_opaque
  Sprite_D32_S32::blitRect
  SkScan::FillIRect
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=401651:401798
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=404895:404947

Minimized Testcase (0.47 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96qgOxsxNfJA7VAMZulfpIqPZEK-HgzGoD9DHZ3XN-cAhI_X2rMvMzgpLAGA91aFUM42jytRX7A_JEewyyg7-OLkiM1WCmJsPi-tugvXUku4DLNnAFe2qEUTRRa005aVJ9o-CZPA1vY9aj7Rm7fkdr5uLBu_w?testcase_id=6731509176467456

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/892c18d6f403629c7ba584e37d150f2334baa80c

commit 892c18d6f403629c7ba584e37d150f2334baa80c
Author: junov <junov@chromium.org>
Date: Wed Jul 13 02:39:05 2016

Temporarily disabling 2d canvas getImageData optimization

Disabling the optimization that makes getImageData disable
GPU acceleration in order to resolve a memory error.

BUG=626188, 627434 

Review-Url: https://codereview.chromium.org/2144573003
Cr-Commit-Position: refs/heads/master@{#404919}

[modify] https://crrev.com/892c18d6f403629c7ba584e37d150f2334baa80c/third_party/WebKit/Source/modules/canvas2d/CanvasRenderingContext2DTest.cpp
[modify] https://crrev.com/892c18d6f403629c7ba584e37d150f2334baa80c/third_party/WebKit/Source/platform/graphics/ExpensiveCanvasHeuristicParameters.h

Your change meets the bar and is auto-approved for M53 (branch: 2785)

Please merge ASAP before 5:00 PM PDT tomorrow, Wednesday as this is M53 Beta Blocker bug and we're cutting M53 RC tomorrow. Thank you.

Please try to merge you change to M53 branch 2785 ASAP latest by 5:00 PM PDT today (sooner the better to avoid compile failure and merge conflicts) so we can take it for tomorrow's M53 beta promotion. Thank you.

M53 was branched while the offending patch was temporarily reverted.  There is nothing to do here.  Clearing the merge flags.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot