Providing Findit results for internal purpose:

Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: reed@google.com
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/e36707a4a82a4dea7d480d969220f3ed223305dc
Time: Tue Oct 04 21:38:55 2011 +0000
The CL last changed line 894 of file SkAAClip.cpp, which is stack frame 0.

Author: reed@google.com
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/a4c6e4d6d3a4010df8dd2b04314675e4c201133b
Time: Wed Jun 20 14:29:50 2012 +0000
The CL last changed line 2027 of file SkAAClip.cpp, which is stack frame 1.

Author: liyuqian
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/38911a7cb53474575e1cd1cb545902b50ee00889
Time: Tue Oct 04 11:23:22 2016 -0700
The CL last changed line 1026 of file SkScan_AAAPath.cpp, which is stack frame 2.

Author: liyuqian
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/38911a7cb53474575e1cd1cb545902b50ee00889
Time: Tue Oct 04 11:23:22 2016 -0700
The CL last changed line 1205 of file SkScan_AAAPath.cpp, which is stack frame 3.

Author: liyuqian
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/2add0ffdaab4c33ca6702c81533c88c7b5ca7294
Time: Thu Oct 20 11:04:39 2016 -0700
The CL last changed line 1323 of file SkScan_AAAPath.cpp, which is stack frame 4.

Author: liyuqian
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/6a7287c14ba39784d66bb299a1340c0d7ca7b683
Time: Fri Oct 21 09:07:41 2016 -0700
The CL last changed line 1348 of file SkScan_AAAPath.cpp, which is stack frame 5.

Author: liyuqian
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/38911a7cb53474575e1cd1cb545902b50ee00889
Time: Tue Oct 04 11:23:22 2016 -0700
The CL last changed line 754 of file SkScan_AntiPath.cpp, which is stack frame 6.

Suspected Project: chromium-skia
Suspected Component: Internals>Skia

assigning to skia owners, could you please check the issue and help.

Note- adding the Skia component is sufficient so we can triage and get to the appropriate owner, reed & bsalomon are getting too much bug noise.

https://codereview.chromium.org/2481703004/

ClusterFuzz has detected this issue as fixed in range 430262:430287.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4846459234287616

Fuzzer: miaubiz_svg_fuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  SkAAClipBlitter::blitV
  SkScan::aaa_fill_path
  SkScan::AAAFillPath
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=430188:430191
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=430262:430287

Minimized Testcase (4.66 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94AUOsigVkTLc15oD1WMA-bAlXYxdm90CyQSdThzKBUwC9Zpxyxfni5eaqViUlgPgcl756nA8MVIEt9s1S4M3Xjh5hHpF9xzOUd5ZXrjurlIENwd4hK6H-lbfoljq5KLCvDoHLfycphYaQ6OFZCv6lI20ICgw?testcase_id=4846459234287616

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/3ce89dad5bc324dad9c4b77393e16f3bcb7396a7

commit 3ce89dad5bc324dad9c4b77393e16f3bcb7396a7
Author: liyuqian <liyuqian@google.com>
Date: Wed Nov 09 16:53:39 2016

Fix the meaning of stop_y

stop_y means that we should stop exactly at stop_y, so the last row should be
[stop_y - 1, stop_y], not [stop_y, stop_y + 1].

Somehow this misunderstanding didn't trigger any issue until Chrome exercises
SkAAClip with some websites (e.g.,
http://www.lemonde.fr/elections-americaines/article/2016/11/07/deux-programmes-deux-visions-de-l-amerique_5026444_829254.html).
When we blitter the extra row [stop_y, stop_y + 1], the SkAAClip will return
nullptr by findRow. Later when that nullptr row is used to findX, the crash
happened.

BUG=chromium:662925,  chromium:662776 
GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=2481703004

Review-Url: https://codereview.chromium.org/2481703004

[modify] https://crrev.com/3ce89dad5bc324dad9c4b77393e16f3bcb7396a7/src/core/SkScan_AAAPath.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot