Assigning to the concern owner from find it results,
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: Robert Phillips
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/7f6cd90f0c8f6e8dd658cb1b1c587b833adfc364
Time: Thu Nov 10 17:03:43 2016 -0500
File SkSpecialImage.cpp is changed in this cl (and is part of stack frame #0, "SkSpecialImage_Gpu::onAsTextureRef"; frame #1, "SkSpecialImage::asTextureRef")
Minimum distance from crash line to modified line: 6. (file: SkSpecialImage.cpp, crashed on: 412, modified: 406).

Suspected Project: chromium-skia
Suspected Component: Internals>Skia

@Robert Phillips -- Could you please look into the issue, kindly re-assign if this is not related to your change.
Thank You.

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3

commit e60ad620fe236ce4c1e85a31bd53ed0c848da8c3
Author: Robert Phillips <robertphillips@google.com>
Date: Thu Nov 17 15:22:48 2016

Guard against instantiate & accessRenderTarget failures

Chrome's fuzzer have reminded me that, since we are deferring allocation, instantiate and accessRenderTarget can now fail further down the call stack.

This should probably be cherry picked back to M56.

BUG= 665681 , 665500 , 665621 

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4929

Change-Id: I44d81ff29586dfe75ddda30b5ed8ca76354542d6
Reviewed-on: https://skia-review.googlesource.com/4929
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>

[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/include/gpu/GrRenderTargetContext.h
[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/src/core/SkSpecialImage.cpp
[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/src/effects/SkMorphologyImageFilter.cpp
[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/src/gpu/GrClipStackClip.cpp
[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/src/gpu/GrDrawingManager.cpp
[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/src/gpu/GrPipeline.cpp
[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/src/gpu/GrRenderTargetContext.cpp
[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/src/gpu/GrRenderTargetOpList.cpp
[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/src/image/SkImage_Gpu.cpp
[modify] https://crrev.com/e60ad620fe236ce4c1e85a31bd53ed0c848da8c3/src/image/SkSurface_Gpu.cpp

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/9fab7e98d711968df3ec4fd2f3fe5c40820b2a0d

commit 9fab7e98d711968df3ec4fd2f3fe5c40820b2a0d
Author: Robert Phillips <robertphillips@google.com>
Date: Thu Nov 17 17:45:04 2016

Remove accessRenderTarget call in SkGpuDevice ctor

This is a follow up to https://skia-review.googlesource.com/c/4929/ (Guard against instantiate & accessRenderTarget failures).

Rather than guard this call to accessRenderTarget I would prefer to remove it.

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4961

BUG= 665681 , 665500 , 665621 

Change-Id: I2c9ec245491d9059de892b2e6a7d4a4de4accdfd
Reviewed-on: https://skia-review.googlesource.com/4961
Commit-Queue: Robert Phillips <robertphillips@google.com>
Reviewed-by: Brian Salomon <bsalomon@google.com>

[modify] https://crrev.com/9fab7e98d711968df3ec4fd2f3fe5c40820b2a0d/src/core/SkSpecialSurface.cpp
[modify] https://crrev.com/9fab7e98d711968df3ec4fd2f3fe5c40820b2a0d/src/gpu/SkGpuDevice.cpp
[modify] https://crrev.com/9fab7e98d711968df3ec4fd2f3fe5c40820b2a0d/src/gpu/SkGpuDevice.h
[modify] https://crrev.com/9fab7e98d711968df3ec4fd2f3fe5c40820b2a0d/src/image/SkSurface_Gpu.cpp

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01

commit 833dcf48844dd053ddf7ecea20e3e1c2b6b47e01
Author: Robert Phillips <robertphillips@google.com>
Date: Fri Nov 18 13:44:13 2016

Add handling for instantiate failure up the call stack

The following two CLs were created via grep:
https://skia-review.googlesource.com/c/4929/ (Guard against instantiate & accessRenderTarget failures)
https://skia-review.googlesource.com/c/4961/ (Remove accessRenderTarget call in SkGpuDevice ctor)

This CL was created by running through all the tests and having instantiate fail so it catches up-stack failures to handle a null return.

BUG= 665681 , 665500 , 665621 

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=4991

Change-Id: I6611eec8d36679123eef140538ee2526fb18628f
Reviewed-on: https://skia-review.googlesource.com/4991
Commit-Queue: Robert Phillips <robertphillips@google.com>
Reviewed-by: Brian Salomon <bsalomon@google.com>

[modify] https://crrev.com/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01/src/core/SkBlurImageFilter.cpp
[modify] https://crrev.com/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01/src/core/SkCanvas.cpp
[modify] https://crrev.com/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01/src/core/SkSpecialSurface.cpp
[modify] https://crrev.com/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01/src/effects/SkBlurMaskFilter.cpp
[modify] https://crrev.com/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01/src/gpu/GrClipStackClip.cpp
[modify] https://crrev.com/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01/src/gpu/GrContext.cpp
[modify] https://crrev.com/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01/src/gpu/SkGpuDevice.cpp
[modify] https://crrev.com/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01/src/gpu/effects/GrConfigConversionEffect.cpp
[modify] https://crrev.com/833dcf48844dd053ddf7ecea20e3e1c2b6b47e01/src/image/SkSurface_Gpu.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9e9ab305dbfc04013ad79bf8868af8fa5c9ed460

commit 9e9ab305dbfc04013ad79bf8868af8fa5c9ed460
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Fri Nov 18 21:03:50 2016

Roll src/third_party/skia/ 524f11a50..eaef61537 (30 commits).

https://skia.googlesource.com/skia.git/+log/524f11a50ab0..eaef615377bc

$ git log 524f11a50..eaef61537 --date=short --no-merges --format='%ad %ae %s'
2016-11-18 borenet [nobuildbot] Explicitly name all jobs
2016-11-17 borenet [nobuildbot] Remaining Android devices
2016-11-17 herb Use SkFixedAllocator in SkLinearPipeline and remove the embedding of the entire pipeline.
2016-11-17 xiangze.zhang Port convolve functions to SkOpts
2016-11-17 abarth Mark this file as executable
2016-11-17 mtklein perspective matrix
2016-11-17 mtklein repeat tiling
2016-11-17 mtklein Replace my confusion with a pointer to the explanation.
2016-11-17 brianosman In VS SLN fixup script, don't erase old files
2016-11-17 liyuqian Fix the quickSkFDot6Div range check
2016-11-17 bsalomon Rename GrTextureParams to GrSamplerParams
2016-11-17 mtklein Strength reduce bilerp to nearest neighbor when the matrix is integer translate.
2016-11-17 robertphillips Fix computation of texture size for approximately-fit deferred proxies
2016-11-17 jvanverth Fix double deletion of DescriptorSetLayouts
2016-11-17 herb Use SkSmallAllocator for Blender stage.
2016-11-17 mtklein Initialize all values we load.
2016-11-17 mtklein Be careful about types in SkNx_neon.h.
2016-11-17 bsalomon In GrProcessor::TextureSampler drop the "get", it's cleaner
2016-11-17 brianosman Always use GL_HALF_FLOAT_OES on ANGLE, even with ES3.
2016-11-17 mtklein Support SkImageShader in SkRasterPipeline blitter
2016-11-17 robertphillips Remove accessRenderTarget call in SkGpuDevice ctor
2016-11-17 bsalomon Remove unnecessary TextureSampler comparison in GrTextureDomainEffect.
2016-11-17 liyuqian Use SkFixedMul instead of SkFixedMul_lowprec
2016-11-17 robertphillips Guard against instantiate & accessRenderTarget failures
2016-11-17 mtklein Plumb filter quality into SkShader::appendStages().
2016-11-17 heather.castelli Update Skia milestone to 57
2016-11-17 bsalomon Rename GrTextureAccess to GrProcessor::TextureSampler.
2016-11-17 caryclark fix fuzzer crash
2016-11-17 rmistry Copy over git_utils from common and add GitLocalConfig
2016-11-16 chinmaygarde Disable the sources assignment filter for platform specific files.

BUG= 665681 , 665500 , 665621 , 665681 , 665500 , 665621 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=stani@google.com

Review-Url: https://codereview.chromium.org/2511733006
Cr-Commit-Position: refs/heads/master@{#433297}

[modify] https://crrev.com/9e9ab305dbfc04013ad79bf8868af8fa5c9ed460/DEPS

ClusterFuzz has detected this issue as fixed in range 433191:433320.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6554254597947392

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  SkSpecialImage_Gpu::onAsTextureRef
  SkSpecialImage::asTextureRef
  SkImage::makeWithFilter
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=431896:432166
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=433191:433320

Minimized Testcase (0.62 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97tGR-fmzvDbIA5kZLmAKnzEK7lDhl91BBYr-f0sIpN9-jyRW1xHMQcdGqPjp_MzeLG6yCmZ7G2FK0sY9fzsA2bVBPI7-kIx-R4U7Fn3ZSHKgRdrU9rax40CyVD3yDybi7JCCU3iCZkF16A3LTb_bDrrJVtiQ?testcase_id=6554254597947392

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8aa53c9b50de7f662697e64c1fe590d59ce6edcc

commit 8aa53c9b50de7f662697e64c1fe590d59ce6edcc
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Sun Nov 20 16:11:06 2016

Roll src/third_party/skia/ eaef61537..792d0f13d (18 commits).

https://skia.googlesource.com/skia.git/+log/eaef615377bc..792d0f13d6cb

$ git log eaef61537..792d0f13d --date=short --no-merges --format='%ad %ae %s'
2016-11-20 egdaniel Revert "switched skslc from std::string to SkString"
2016-11-20 egdaniel Revert "fixed iOS build failure"
2016-11-18 krasin Avoid unnecessary cast on a garbage data.
2016-11-18 mar.kazmierczak Fix typo in GrGLCaps
2016-11-18 reed android does not need XFERMODE_PUBLIC flag
2016-11-18 mtklein Revert "Turn off /arch:AVX[2] on Windows builds."
2016-11-18 mtklein mirror tiling
2016-11-18 bsalomon Make GrSwizzle::GrSwizzle() constexpr
2016-11-18 bsalomon Remove unnecessary attribute and varying type modifiers
2016-11-18 mtklein Build fiddle and public_headers_warnings_check only when skia_enable_tools.
2016-11-18 brianosman VS SLN script: Automatically determine which folder to use/copy
2016-11-18 mtklein Turn off /arch:AVX[2] on Windows builds.
2016-11-18 mtklein update G3 build after crrev.com/2500113004
2016-11-18 bsalomon Make GrBufferAccess a nested class of GrProcessor
2016-11-18 liyuqian Add test for QuickFDot6Div
2016-11-18 ethannicholas fixed iOS build failure
2016-11-17 ethannicholas switched skslc from std::string to SkString
2016-11-18 robertphillips Add handling for instantiate failure up the call stack

BUG= 666707 , 665681 , 665500 , 665621 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=egdaniel@google.com

Review-Url: https://codereview.chromium.org/2516183002
Cr-Commit-Position: refs/heads/master@{#433454}

[modify] https://crrev.com/8aa53c9b50de7f662697e64c1fe590d59ce6edcc/DEPS

https://skia-review.googlesource.com/c/5081/ (Cherry pick fuzzer fixes back to M56) 

This is a cherry pick to the Skia M56 branch.

[Automated comment] DEPS changes referenced in bugdroid comments, needs manual review.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

LGTM, approving for merge into 56

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/24f636fc9e5b0b869a84004a1afe877884c406a1

commit 24f636fc9e5b0b869a84004a1afe877884c406a1
Author: Robert Phillips <robertphillips@google.com>
Date: Mon Nov 21 14:03:54 2016

Cherry pick fuzzer fixes back to M56

This cherry-pick combines 3 fuzzer-fix CLs:

These two rolled into Chrome in https://codereview.chromium.org/2511733006 at 433297 on 11/18
https://skia-review.googlesource.com/c/4961/ (Remove accessRenderTarget call in SkGpuDevice ctor)
https://skia-review.googlesource.com/c/4929/ (Guard against instantiate & accessRenderTarget failures)

This one rolled into Chrome in https://codereview.chromium.org/2516183002 at 433454 on 11/20
https://skia-review.googlesource.com/c/4991/ (Add handling for instantiate failure up the call stack)

Together they address the fuzzer bugs:

 crbug.com/665681  P1 (Crash in SkSpecialImage_Gpu::onAsTextureRef)
 crbug.com/665621  P1 (Crash in GrGpuCommandBuffer::draw)
 crbug.com/665500  P1 (Crash in GrDrawBatch::renderTargetUniqueID)

The fuzzer bugs were fixed by the first two patches but the third is going to be necessary too.

BUG= 665681 , 665500 , 665621 

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=5081
NOTREECHECKS=true
NOTRY=true
NOPRESUBMIT=true

Change-Id: I3a8b70eae29ac11608e062e66bc26c2208c1dfb3
Reviewed-on: https://skia-review.googlesource.com/5081
Reviewed-by: Brian Salomon <bsalomon@google.com>
Reviewed-by: Heather Miller <hcm@google.com>
Commit-Queue: Robert Phillips <robertphillips@google.com>

[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/include/gpu/GrRenderTargetContext.h
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/core/SkBlurImageFilter.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/core/SkCanvas.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/core/SkSpecialImage.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/core/SkSpecialSurface.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/effects/SkBlurMaskFilter.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/effects/SkMorphologyImageFilter.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/gpu/GrClipStackClip.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/gpu/GrContext.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/gpu/GrDrawingManager.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/gpu/GrPipeline.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/gpu/GrRenderTargetContext.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/gpu/GrRenderTargetOpList.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/gpu/SkGpuDevice.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/gpu/SkGpuDevice.h
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/gpu/effects/GrConfigConversionEffect.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/image/SkImage_Gpu.cpp
[modify] https://crrev.com/24f636fc9e5b0b869a84004a1afe877884c406a1/src/image/SkSurface_Gpu.cpp

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot