This looks like a bug in gtk. I haven't been able to reproduce it, which makes it difficult to upstream. Closing for now, ideally CF can find an easier-to-reproduce test case for this bug.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 441510:441524.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5235660812451840

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 1
Crash Address: 0x7b08001e00f8
Crash State:
  _gdk_window_process_updates_recurse
  base::MessageLoop::RunHandler
  base::RunLoop::Run
  
Sanitizer: thread (TSAN)

Recommended Security Severity: High

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=441510:441524

Minimized Testcase (0.37 Kb): https://cluster-fuzz.appspot.com/download/AMIfv968gk3mYyPpLIzdMU-nDROPRESi88aAsLBrl8f1UQg_ccqXbVQYgM62KAOsID7a030jT_yL2wP8jCIECbVaiEOFQ_8Fa4VAOv7LMmT_9LR-vmAU2tnef4NJJQ_G2jBKjsiNIbDlWkyxghlfZPh9IaEFTkfYMQ?testcase_id=5235660812451840

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.