Suspected CLs	The result is a list of CLs that change the crashed files.

Author: ccameron
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/123016bf9ed08d599540dddc9a3b92a0df7eba2e
Time: Fri Oct 21 02:05:50 2016
Lines 244, 343, 1115 of file DrawingBuffer.cpp which potentially caused crash are changed in this cl (frame #1, "blink::DrawingBuffer::createColorBuffer"; frame #3, "blink::DrawingBuffer::finishPrepareTextureMailboxGpu"; frame #5, "blink::DrawingBuffer::PrepareTextureMailbox").
Minimum distance from crash line to modified line: 0. (file: DrawingBuffer.cpp, crashed on: 343, modified: 343).

Suspected Project: chromium
Suspected Component: Blink>Paint

 Issue 658589  has been merged into this issue.

I have a patch up to further reduce this.

Issue 658804 has been merged into this issue.

Issue 658919 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8dbf40b1f26fa7e9b0fae8ddec2b06d995d05d52

commit 8dbf40b1f26fa7e9b0fae8ddec2b06d995d05d52
Author: ccameron <ccameron@chromium.org>
Date: Tue Oct 25 00:55:07 2016

DrawingBuffer: Add checks for state restorer

We're crashing due to a null m_stateRestorer in the fuzzer. It's unclear
how this is possible, so add CHECKs to indicate where this is going
wrong.

These CHECKS should be changed to DCHECKs when the issue is addressed.

BUG= 658265 

Review-Url: https://codereview.chromium.org/2439073003
Cr-Commit-Position: refs/heads/master@{#427197}

[modify] https://crrev.com/8dbf40b1f26fa7e9b0fae8ddec2b06d995d05d52/third_party/WebKit/Source/platform/graphics/gpu/DrawingBuffer.cpp

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 427174:427199.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6073525599469568

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x00000008
Crash State:
  blink::DrawingBuffer::createColorBuffer
  blink::DrawingBuffer::createOrRecycleColorBuffer
  blink::DrawingBuffer::finishPrepareTextureMailboxGpu
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=426679:426725
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=427174:427199

Minimized Testcase (6.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97TrVTU5BaTJVKDnPWEvPfh4vnI1BHtOAzSkO5gEWVLNCqFky-2UewxwJOdjwrwZl4A4mphfNgw0klHaNbhltU1SS4G3JKU9Yp9FIVAv2NUFCMMN1W5srWyuuhGREUFVYCIXuCXXpHGkfayqeWXlyVFQmhU-Q?testcase_id=6073525599469568

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 659216  has been merged into this issue.

 Issue 659494  has been merged into this issue.

Changing state to started cause of child issues. Stack for posterity:

#0 0x7fe23c1839e0 __interceptor_backtrace
#1 0x7fe246561492 base::debug::StackTrace::StackTrace()
#2 0x7fe2465f7e5d logging::LogMessage::~LogMessage()
#3 0x7fe260b77f71 blink::DrawingBuffer::resolveAndBindForReadAndDraw()
#4 0x7fe25ad05b4b blink::WebGLRenderingContextBase::paintRenderingResultsToCanvas()
#5 0x7fe2566b258a blink::HTMLCanvasElement::getSourceImageForCanvas()
#6 0x7fe2566af1d1 blink::HTMLCanvasElement::notifyListenersCanvasChanged()
#7 0x7fe260b65530 blink::DrawingBuffer::prepareTextureMailboxInternal()
#8 0x7fe260b64e49 blink::DrawingBuffer::PrepareTextureMailbox()
#9 0x7fe25e95def3 cc::TextureLayer::Update()
#10 0x7fe24b5dd430 cc::LayerTree::UpdateLayers()
#11 0x7fe25ea96eb4 cc::LayerTreeHostInProcess::DoUpdateLayers()
#12 0x7fe25ea9596f cc::LayerTreeHostInProcess::UpdateLayers()
#13 0x7fe25eaa598b cc::ProxyMain::BeginMainFrame()

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7946e681411fb3144eac23476d75a837d6db39b4

commit 7946e681411fb3144eac23476d75a837d6db39b4
Author: ccameron <ccameron@chromium.org>
Date: Fri Oct 28 04:33:47 2016

Allow nested state restorers in DrawingBuffer

State restoration required in callbacks that can come from
DrawingBuffer. This allows us to construct a stack of restorers.

BUG= 658265 

Review-Url: https://codereview.chromium.org/2453283002
Cr-Commit-Position: refs/heads/master@{#428283}

[modify] https://crrev.com/7946e681411fb3144eac23476d75a837d6db39b4/third_party/WebKit/Source/platform/graphics/gpu/DrawingBuffer.cpp
[modify] https://crrev.com/7946e681411fb3144eac23476d75a837d6db39b4/third_party/WebKit/Source/platform/graphics/gpu/DrawingBuffer.h

This should be fixed now.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot