providing Findit Results for internal purpose:

Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 160 of file InterpolableValue.h, which is stack frame 0.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 126 of file InterpolableValue.h, which is stack frame 1.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 146 of file InterpolableValue.h, which is stack frame 2.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 160 of file InterpolableValue.h, which is stack frame 3.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 126 of file InterpolableValue.h, which is stack frame 4.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 146 of file InterpolableValue.h, which is stack frame 5.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 160 of file InterpolableValue.h, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Animation

using codesearch, seeing some changes to StyleResolver.cpp in 
https://chromium.googlesource.com/chromium/src/+/890e3f57caf40adab7ea377cb50ef6591b6b882e

alancutter@, could you please check the issue and help.

I don't think this is a regression, this part of the code hasn't been touched for a while.


Created minimal repro from test case path values (though the crash stack is different).

<div id="target"></div>
<script>
target.style.d = 'path("M20,20 A0,10 0 0 0 20,20 A0,10 0 0 0 30,30 A0,10 0 0 0 30,30 A0,10 0 0 0 40,40 A0,10 0 0 0 40,40")';
target.animate({d: 'path("M 0 9223372036854775807 H 65305 V 117 H 14 V 128")'}, 1000);
</script>


Crash stack:
[1:1:1109/155216:2587297348502:FATAL:InterpolableValue.h(97)] Check failed: false. 
#0 0x7f320439fcfe base::debug::StackTrace::StackTrace()
#1 0x7f32043c401b logging::LogMessage::~LogMessage()
#2 0x7f31ff7d6088 blink::InterpolableBool::cloneAndZero()
#3 0x7f31ff7d5908 blink::InterpolableList::cloneAndZero()
#4 0x7f31ff7d5908 blink::InterpolableList::cloneAndZero()
#5 0x7f31ff7e7e5b blink::PathInterpolationFunctions::maybeConvertNeutral()
#6 0x7f31ff7b73ff blink::CSSPathInterpolationType::maybeConvertNeutral()
#7 0x7f31ff7b26f7 blink::CSSInterpolationType::maybeConvertSingle()
#8 0x7f31ff7d80a1 blink::InvalidatableInterpolation::convertSingleKeyframe()
#9 0x7f31ff7d870e blink::InvalidatableInterpolation::ensureValidInterpolation()
#10 0x7f31ff7d915a blink::InvalidatableInterpolation::applyStack()

Found the bug, SVGPathSegInterpolationFunctions was using InterpolableBool which defines:
  std::unique_ptr<InterpolableValue> cloneAndZero() const final {
    NOTREACHED();
    return nullptr;
  }

InterpolableBool should not exist, I'll make a patch to remove it.

Submitted fix: https://codereview.chromium.org/2487913002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2439d975210aba96119d8b75633b9f5659563d00

commit 2439d975210aba96119d8b75633b9f5659563d00
Author: alancutter <alancutter@chromium.org>
Date: Wed Nov 09 11:06:24 2016

Remove InterpolableBool and existing use of it in SVG path interpolation

The InterpolableBool class should not be used as bools are not considered
interpolable. This change replaces the single use of it with
InterpolableNumber. This retains the existing behaviour but is not
ideal.

This change fixes a nullptr crash caused by the use of InterpolableBool.

BUG= 662694 

Review-Url: https://codereview.chromium.org/2487913002
Cr-Commit-Position: refs/heads/master@{#430907}

[add] https://crrev.com/2439d975210aba96119d8b75633b9f5659563d00/third_party/WebKit/LayoutTests/animations/d-path-neutral-value-crash.html
[modify] https://crrev.com/2439d975210aba96119d8b75633b9f5659563d00/third_party/WebKit/Source/core/animation/InterpolableValue.cpp
[modify] https://crrev.com/2439d975210aba96119d8b75633b9f5659563d00/third_party/WebKit/Source/core/animation/InterpolableValue.h
[modify] https://crrev.com/2439d975210aba96119d8b75633b9f5659563d00/third_party/WebKit/Source/core/animation/InterpolableValueTest.cpp
[modify] https://crrev.com/2439d975210aba96119d8b75633b9f5659563d00/third_party/WebKit/Source/core/animation/SVGPathSegInterpolationFunctions.cpp

ClusterFuzz has detected this issue as fixed in range 430893:430907.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6108539484635136

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::InterpolableList::InterpolableList
  blink::InterpolableList::create
  blink::InterpolableList::clone
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=370046:370064
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=430893:430907

Minimized Testcase (6.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96vxshGRYnsldb7mmlOeCGi1KY2EqCmw6viGUdSN7RpWXUROJuZRqBSZbsN1iNkYlD7L_vy7ib5b5shgBTKXlPXRPZGWDyndXRzy6BLkG70pQQvoXUON1R9UEwmH_QF38HhaGENbCha9f41aAFjvCBiq2KqJg?testcase_id=6108539484635136

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot