xlai: Would you mind taking a look at this? Seems like it could potentially be related to https://chromium.googlesource.com/chromium/src//+/65bcd11753b2561dd86c6c95a778bc397ab54367

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b0f2b78559b1d731012d9808376c08b6ec256396

commit b0f2b78559b1d731012d9808376c08b6ec256396
Author: xlai <xlai@chromium.org>
Date: Fri Aug 05 22:34:11 2016

Fixing uninitialized access in blink::ImagePattern::isLocalMatrixChanged

Do an explicit setIdentity() call on m_previousLocalMatrix to avoid
SKMatrix operator==() complaining an uninitialized access to its internal
integer values.

TBR=junov@chromium.org
BUG= 635045 

Review-Url: https://codereview.chromium.org/2220663002
Cr-Commit-Position: refs/heads/master@{#410197}

[modify] https://crrev.com/b0f2b78559b1d731012d9808376c08b6ec256396/third_party/WebKit/Source/platform/graphics/ImagePattern.cpp

ClusterFuzz has detected this issue as fixed in range 410187:410228.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4708473495617536

Fuzzer: inferno_canvas_wrecker
Job Type: linux_msan_chrome
Platform Id: linux

Crash Type: Use-of-uninitialized-value
Crash Address: 
Crash State:
  blink::ImagePattern::isLocalMatrixChanged
  blink::Pattern::applyToPaint
  blink::CanvasStyle::applyToPaint
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=409589:409863
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_msan_chrome&range=410187:410228

Minimized Testcase (0.49 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95bBPwQD15h4T9AFLI6r6anZxB9IG-gw3y_15Omn6i7jXcFr7cQa60xiSNQrVwg6OBmutYb5vhkC-0n4Gy07Ng9NvnPZgrhXJb-WW28mP1YzJ_cKQqMY4QwC8e7eSsKywpNPPaexNRH334kSS-VzfW7t6IfVg?testcase_id=4708473495617536
<canvas id='canvas1'><video id='video1'</video><script>
var C = document.getElementById('canvas1');
var Z = C.getContext('2d');
var V = document.getElementById('video1');
gradient9 = Z.createPattern(V, "repeat-y");;
var scriptStrs = ['Z.lineTo(21, 6.71056094745)',
'Z.strokeStyle = gradient9',
'Z.stroke();',
'Z.globalAlpha = 0.2903',
'Z.stroke();',
'Z.drawImage(image1, 0.453089, 131)'];
var index = 0; function execute() {; try { eval(scriptStrs[index++]); } catch(e) {}}
setInterval(execute);</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot