No possible suspects from find it and there is no regression range in the details report.
Assigning to the concern owner using Code Search for the file, "JPEGImageDecoder.cpp"

Suspecting Commit#75bac58d037d14d78babf75e674654062a1c85eb
Suspecting Review URL# https://codereview.chromium.org/2482883002

@msarett -- Could you please look into the issue, kindly re-assign if this is not related to your change.
Thank You.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Adding Chris because this appears to be related to the color correct rendering flag.  I don't think this is a big deal, since color correct rendering is test only right now.

Hmm, odd. I've seen some of these before, but they all spontaneously resolved.

The clusterfuzz trace suggests that a Deferred image decode happening on the cc raster thread is trying to access the webkit thread (by reading the color correct rendering flag stored therein) ... 

And so a racy crash here if the webkit thread no longer exists, eg. at tab shutdown.  Blink deferred image decodes should not try access webkit thread state, right?

 Issue 668556  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 435416:435480.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5290027937693696

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_tsan_chrome_mp
Platform Id: linux

Crash Type: Data race READ 1
Crash Address: 0x7fb8bb2429b0
Crash State:
  blink::ImageFrame::setSizeAndColorSpace
  blink::JPEGImageDecoder::outputScanlines
  blink::JPEGImageReader::decode
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=411233:411257
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_tsan_chrome_mp&range=435416:435480

Minimized Testcase (0.09 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94wrpkE0lECVPyzNPWABiyZlweRKswDeL7R4kyGTwVmZQ5LUh2XkWQ-wIjBqQ4StSALuLGY1ESDHeAfI62rNWK2zj01CWPtsU0RG1pIBS2SDh0Mtzc7_2yR_Xq_ETzoWNT0thAsWdodC8qnutlVzbsRfUrLIg?testcase_id=5290027937693696
<meta http-equiv="refresh" content="0; url=http://madisonscottishcountrydancers.org/"</html>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This was probably fixed by crrev.com/435478 -- that patch made it so that we no longer query the color profile from a global variable during decode.

Now we pass it in at ImageDecoder creation time.

Yeap, agree.