From find it assigning it to the concern owner and also providing the CL details

Suspected CLs	The result is a list of CLs that change the crashed files.

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/03fe53dc4730038b5d13613fcbad10fc9a204c54
Time: Fri Aug 26 21:18:02 2016
Lines 909 of file HTMLCanvasElement.cpp which potentially caused crash are changed in this cl (frame #0, "blink::HTMLCanvasElement::createImageBufferInternal").
Minimum distance from crash line to modified line: 0. (file: HTMLCanvasElement.cpp, crashed on: 909, modified: 909).

Suspected Project: chromium
Suspected Component: Blink>HTML

CL details --
https://chromium.googlesource.com/chromium/src/+log/5d8eab739eb23c4fd27ba6a18b0e1afc15182321..cfa5adc96879fea39db27d190261e82ae3b85624?pretty=fuller

@danakj -- Could you please look into the issue, pardon me if it has nothing to do with your changes and if possible please assign it to concern owner.
Thank You.

This looks like ImageBuffer::create is returning null: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/graphics/ImageBuffer.cpp?rcl=0&l=72

Which means surface->isValid() is returning false.

I thought I had verified that both createAcceleratedImageBufferSurface and createUnacceleratedImageBufferSurface only return non-null if the surface is valid. But I guess you could get an externalSurface that is not valid! Also AcceleratedImageBufferSurface can be constructed but not valid and we don't check that.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3c5a6056fca4642b919fb468c6ca9bfc152d1c76

commit 3c5a6056fca4642b919fb468c6ca9bfc152d1c76
Author: danakj <danakj@chromium.org>
Date: Thu Sep 01 22:45:57 2016

Clean up and fix logic around creating ImageBufferSurface and fallbacks

Avoids a crash if a surface is not valid, we always early out in that
case. Repairs the fallback logic to not fallback in the cases where:
- An external surface was provided.
- is3D() is true, aka WebGL.
In the above cases, we should not fallback if the surface we try to use
is not valid.

R=junov@chromium.org
BUG= 641896 

Review-Url: https://codereview.chromium.org/2285153004
Cr-Commit-Position: refs/heads/master@{#416097}

[modify] https://crrev.com/3c5a6056fca4642b919fb468c6ca9bfc152d1c76/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp
[modify] https://crrev.com/3c5a6056fca4642b919fb468c6ca9bfc152d1c76/third_party/WebKit/Source/core/html/HTMLCanvasElement.h

Your change meets the bar and is auto-approved for M54 (branch: 2840)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1b2b61b508e917e4e34c1c1a629efcf1c8d7197e

commit 1b2b61b508e917e4e34c1c1a629efcf1c8d7197e
Author: danakj <danakj@chromium.org>
Date: Sat Sep 03 00:54:26 2016

Clean up and fix logic around creating ImageBufferSurface and fallbacks

Avoids a crash if a surface is not valid, we always early out in that
case. Repairs the fallback logic to not fallback in the cases where:
- An external surface was provided.
- is3D() is true, aka WebGL.
In the above cases, we should not fallback if the surface we try to use
is not valid.

TBR=junov@chromium.org
BUG= 641896 

Review-Url: https://codereview.chromium.org/2285153004
Cr-Commit-Position: refs/heads/master@{#416097}
(cherry picked from commit 3c5a6056fca4642b919fb468c6ca9bfc152d1c76)

Review URL: https://codereview.chromium.org/2305163002 .

Cr-Commit-Position: refs/branch-heads/2840@{#142}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/1b2b61b508e917e4e34c1c1a629efcf1c8d7197e/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp
[modify] https://crrev.com/1b2b61b508e917e4e34c1c1a629efcf1c8d7197e/third_party/WebKit/Source/core/html/HTMLCanvasElement.h

ClusterFuzz has detected this issue as fixed in range 415934:416233.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6754130473517056

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x00000010
Crash State:
  blink::HTMLCanvasElement::createImageBufferInternal
  blink::HTMLCanvasElement::buffer
  blink::HTMLCanvasElement::isPaintable
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=414800:414808
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=415934:416233

Minimized Testcase (1.95 Kb): https://cluster-fuzz.appspot.com/download/AMIfv976mbUdH32Xsr-0YpqjIBzchy-BHQcAcRFs0q_1TdGstbq0NJTQmK1RUOgqCbeJlfAUWRpRD7a4BnTA5IGLRvV2s_nrY2TTZrcGREcapEFVQQctna0Ox6MRq5OYrVGmI24uxAoenQYN8eKv4MZKvP8ZF-pgfw?testcase_id=6754130473517056

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1b2b61b508e917e4e34c1c1a629efcf1c8d7197e

commit 1b2b61b508e917e4e34c1c1a629efcf1c8d7197e
Author: danakj <danakj@chromium.org>
Date: Sat Sep 03 00:54:26 2016

Clean up and fix logic around creating ImageBufferSurface and fallbacks

Avoids a crash if a surface is not valid, we always early out in that
case. Repairs the fallback logic to not fallback in the cases where:
- An external surface was provided.
- is3D() is true, aka WebGL.
In the above cases, we should not fallback if the surface we try to use
is not valid.

TBR=junov@chromium.org
BUG= 641896 

Review-Url: https://codereview.chromium.org/2285153004
Cr-Commit-Position: refs/heads/master@{#416097}
(cherry picked from commit 3c5a6056fca4642b919fb468c6ca9bfc152d1c76)

Review URL: https://codereview.chromium.org/2305163002 .

Cr-Commit-Position: refs/branch-heads/2840@{#142}
Cr-Branched-From: 1ae106dbab4bddd85132d5b75c670794311f4c57-refs/heads/master@{#414607}

[modify] https://crrev.com/1b2b61b508e917e4e34c1c1a629efcf1c8d7197e/third_party/WebKit/Source/core/html/HTMLCanvasElement.cpp
[modify] https://crrev.com/1b2b61b508e917e4e34c1c1a629efcf1c8d7197e/third_party/WebKit/Source/core/html/HTMLCanvasElement.h

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot