Howdy, your CL (https://skia.googlesource.com/skia.git/+/9b8c036eda7ca8dde40e76dcd9378b3ddd629c8b) introduces the code which triggers this heap buffer overflow from ClusterFuzz. Please take a look ASAP, thanks!

Probably an AAA-related crash?  blit_aaa_trapezoid_row is on the stack.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Should fix in https://skia-review.googlesource.com/c/5266/

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/dd13c020793b0a7fb2ac1f22024e9fb91ea483ef

commit dd13c020793b0a7fb2ac1f22024e9fb91ea483ef
Author: Yuqian Li <liyuqian@google.com>
Date: Mon Nov 28 15:31:58 2016

Add the missing shift to the dy

BUG= chromium:668907 

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=5266

Change-Id: I6d3e56ffc149fbeac6f7a2df740542abbf84dac8
Reviewed-on: https://skia-review.googlesource.com/5266
Reviewed-by: Cary Clark <caryclark@google.com>
Commit-Queue: Yuqian Li <liyuqian@google.com>

[modify] https://crrev.com/dd13c020793b0a7fb2ac1f22024e9fb91ea483ef/src/core/SkAnalyticEdge.cpp
[modify] https://crrev.com/dd13c020793b0a7fb2ac1f22024e9fb91ea483ef/tests/PathTest.cpp

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/44be067730b9bff2027b41691587a1b0454966a1

commit 44be067730b9bff2027b41691587a1b0454966a1
Author: Yuqian Li <liyuqian@google.com>
Date: Mon Nov 28 21:38:18 2016

Revert "Add the missing shift to the dy"

This reverts commit dd13c020793b0a7fb2ac1f22024e9fb91ea483ef.

Reason for revert: this breaks the Chromium DEPS roll as we break the layout_tests. I'll add a flag to guard the change in the future and enable the flag while change the layout_tests.

Original change's description:
> Add the missing shift to the dy
> 
> BUG= chromium:668907 
> 
> GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=5266
> 
> Change-Id: I6d3e56ffc149fbeac6f7a2df740542abbf84dac8
> Reviewed-on: https://skia-review.googlesource.com/5266
> Reviewed-by: Cary Clark <caryclark@google.com>
> Commit-Queue: Yuqian Li <liyuqian@google.com>
> 

TBR=mtklein@chromium.org,caryclark@google.com,liyuqian@google.com,reed@google.com,reviews@skia.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true

Change-Id: Ifd5aa50f155c3ebe2f1495cbf3b8dd706211a639
Reviewed-on: https://skia-review.googlesource.com/5286
Commit-Queue: Yuqian Li <liyuqian@google.com>
Reviewed-by: Yuqian Li <liyuqian@google.com>

[modify] https://crrev.com/44be067730b9bff2027b41691587a1b0454966a1/src/core/SkAnalyticEdge.cpp
[modify] https://crrev.com/44be067730b9bff2027b41691587a1b0454966a1/tests/PathTest.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b4ee4bffa0c144adfb16968ca3645bc624e938db

commit b4ee4bffa0c144adfb16968ca3645bc624e938db
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Tue Nov 29 04:21:16 2016

Roll src/third_party/skia/ d5de01364..99ab92b59 (22 commits).

https://skia.googlesource.com/skia.git/+log/d5de01364378..99ab92b5958a

$ git log d5de01364..99ab92b59 --date=short --no-merges --format='%ad %ae %s'
2016-11-28 raftias Moved A2B0 profile parsing before XYZ
2016-11-28 mtklein Consistent naming.
2016-11-28 reed use raster-pipeline in readPixels
2016-11-28 ethannicholas added support for layout(offset=...) to skslc
2016-11-28 benjaminwagner Merge changes from internal cl/140385880.
2016-11-28 mtklein simplify
2016-11-28 liyuqian Revert "Add the missing shift to the dy"
2016-11-28 mtklein Convert blitter over to new style from_srgb, to_srgb.
2016-11-28 lsalzman use __BYTE_ORDER__ macro to detect endianness when available
2016-11-28 brianosman Narrow the SkImageGenerator interface
2016-11-28 bsalomon Remove old driver bug workaround for glTexStorage.
2016-11-28 borenet Roll recipe DEPS
2016-11-28 ethannicholas unified ASTLayout/Layout and ASTModifiers/Modifiers
2016-11-28 ethannicholas removed textureProj() and legacy texture functions from sksl
2016-11-28 reed simplify SkConfig8888 logic: just fall-through if memcpy case isn't supported
2016-11-28 mtklein Split srgb out of accum stages.
2016-11-28 raftias Fuzzer fix for overflow in some Lut8 profiles.
2016-11-28 mtklein Fix unpremul stage.
2016-11-28 liyuqian Add the missing shift to the dy
2016-11-28 brianosman GrTextureProducer cleanup, phase two: Producer, Adjuster, Maker
2016-11-22 mtklein Guard against buggy ucrt\math.h.
2016-11-22 ethannicholas baked in a few more precision modifiers

BUG= 668784 , 668907 , 666707 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=brianosman@google.com

Review-Url: https://codereview.chromium.org/2532083003
Cr-Commit-Position: refs/heads/master@{#434889}

[modify] https://crrev.com/b4ee4bffa0c144adfb16968ca3645bc624e938db/DEPS

The following revision refers to this bug:
  https://skia.googlesource.com/skia.git/+/79252f7997f2f5b90a72d2c7bd5f6aa8a58ee640

commit 79252f7997f2f5b90a72d2c7bd5f6aa8a58ee640
Author: Yuqian Li <liyuqian@google.com>
Date: Tue Nov 29 20:02:49 2016

Add the missing shift to the dy

This is identical to https://skia-review.googlesource.com/c/5266/ except for
the SK_ANALYTIC_AA_GUARD flag.

BUG= chromium:668907 

GOLD_TRYBOT_URL= https://gold.skia.org/search?issue=5302

Change-Id: I3fc225a925d21fe615c46a4a0be7fe33c5790766
Reviewed-on: https://skia-review.googlesource.com/5302
Commit-Queue: Yuqian Li <liyuqian@google.com>
Reviewed-by: Cary Clark <caryclark@google.com>

[modify] https://crrev.com/79252f7997f2f5b90a72d2c7bd5f6aa8a58ee640/src/core/SkAnalyticEdge.cpp
[modify] https://crrev.com/79252f7997f2f5b90a72d2c7bd5f6aa8a58ee640/tests/PathTest.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f9491858d66bfa61bb5d4641ea8df6df9fdae5a0

commit f9491858d66bfa61bb5d4641ea8df6df9fdae5a0
Author: skia-deps-roller <skia-deps-roller@chromium.org>
Date: Wed Nov 30 08:57:33 2016

Roll src/third_party/skia/ 56b507925..84aa30d39 (24 commits).

https://skia.googlesource.com/skia.git/+log/56b50792531c..84aa30d39e7e

$ git log 56b507925..84aa30d39 --date=short --no-merges --format='%ad %ae %s'
2016-11-29 liyuqian Add additional guard to the Analytic AA change
2016-11-29 bsalomon Make pipeline getter a GrDrawBatch::pipeline() a protected method.
2016-11-29 msarett Fixes for SkColorLookUpTable::interp3D
2016-11-29 mtklein support a8
2016-11-20 fmalita Fuzzer assert in GradientShaderBase4fContext::TSampler
2016-11-29 bsalomon Remove caps image storage caps hack.
2016-11-29 bsalomon Rename SkSL::GLSLCapsFactory to SkSL::ShaderCapsFactory
2016-11-29 mtklein Make SkNWayCanvas use conservative clipping.
2016-11-29 brianosman In GetResourceAsBitmap, don't crash if the resource is missing
2016-11-29 liyuqian Add the missing shift to the dy
2016-11-29 bsalomon Rename vars and functions from 'glslcaps'->'shadercaps'
2016-11-29 mtklein teach MSAN about maskload
2016-11-29 bsalomon Merge GrGLSLCaps into GrShaderCaps
2016-11-28 msarett Delete unnecessary SkSurface_Base API
2016-11-28 msarett Remove duplicate storage of fCanvas in SkOverdrawCanvas
2016-11-29 mtklein gather_i8
2016-11-29 kjlubick Fix fuzzRange
2016-11-29 bsalomon Rm assert that image texture array is null unless GrCaps has images support.
2016-11-29 liyuqian Use AdditiveBlitter for partial rows
2016-11-28 jvanverth Add #define for Nsight compatibility
2016-11-29 jcgregorio Revert "Use /MD for Windows builds."
2016-11-29 liyuqian Compute slope using fSnappedY
2016-11-29 kjlubick Fix DrawFunctions fuzzer to initialize bitmaps
2016-11-28 bsalomon Fix documents for creating a GPU surface.

BUG= 668925 , 668907 

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, see:
http://www.chromium.org/developers/tree-sheriffs/sheriff-details-chromium#TOC-Failures-due-to-DEPS-rolls

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel
TBR=brianosman@google.com

Review-Url: https://codereview.chromium.org/2534343002
Cr-Commit-Position: refs/heads/master@{#435183}

[modify] https://crrev.com/f9491858d66bfa61bb5d4641ea8df6df9fdae5a0/DEPS

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b0622c15226e2c82d2ed5897167837bcb3130c3c

commit b0622c15226e2c82d2ed5897167837bcb3130c3c
Author: liyuqian <liyuqian@google.com>
Date: Thu Dec 01 15:23:02 2016

Enable Analytic AA Fix

BUG= chromium:668907 

Review-Url: https://codereview.chromium.org/2538943002
Cr-Commit-Position: refs/heads/master@{#435609}

[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/skia/config/SkUserConfig.h
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/compositing/rounded-corners-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/css3/masking/clip-path-circle-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/css3/masking/clip-path-circle-overflow-hidden-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/css3/masking/clip-path-restore-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/background-color-image-border-radius-bleed-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/background-leakage-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/background-multi-image-border-radius-bleed-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/gradient-background-leakage-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/backgrounds/repeat/noRepeatCorrectClip-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-background-constrained-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-different-width-001-double-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-different-width-001-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-groove-01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-groove-02-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-groove-03-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-valid-border-clipping-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-wide-border-02-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-wide-border-04-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-radius-with-box-shadow-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/border-shadow-large-radius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusArcs01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDashed06-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDotted06-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDouble01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDouble03-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDouble06-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusDouble08-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusGroove01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusGroove02-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusInset01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusOutset01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusRidge01-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/borderRadiusSlope-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/fieldsetBorderRadius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/mixed-border-styles-radius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/borders/mixed-border-styles-radius2-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/box-shadow-clipped-slices-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/box-shadow-with-zero-radius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/inset-box-shadows-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/shadow-tiling-artifact-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/spread-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/box-shadow/spread-multiple-normal-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/canvas/canvas-arc-circumference-fill-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/canvas/canvas-composite-transformclip-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/canvas/canvas-ellipse-circumference-fill-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/css/background-clip-radius-values-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/css/box-shadow-and-border-radius-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/fast/dynamic/first-letter-after-list-marker-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/paint/invalidation/svg/fill-opacity-update-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/paint/invalidation/svg/invalidate-on-child-layout-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/paint/invalidation/svg/mask-clip-target-transform-expected.png
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/paint/invalidation/svg/resource-invalidate-on-target-update-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/animation/computed-style-during-delay-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/backing/no-backing-foreground-layer-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/contents-opaque/layer-transform-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/contents-opaque/visibility-hidden-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/draws-content/canvas-background-layer-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/layer-creation/fixed-position-out-of-view-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/reflections/empty-reflection-with-mask-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/compositing/transitions/opacity-on-inline-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css1/units/rounding-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css3/device-adapt/viewport-insert-rule-after-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css3/device-adapt/viewport-insert-rule-before-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css3/filters/crash-hw-sw-switch-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/css3/masking/clip-path-reference-of-fake-clipPath-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/editability/empty-document-justify-right-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/inserting/5685601-2-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/pasteboard/pasting-empty-html-falls-back-to-text-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/selection/5794920-1-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/shadow/delete-characters-in-distributed-node-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/editing/undo/orphaned-selection-crash-bug32823-3-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/animation/request-animation-frame-callback-id-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/autoresize/turn-off-autoresize-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/block/line-layout/inline-box-wrapper-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/block/line-layout/line-break-obj-removal-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/borders/negative-border-width-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/constructors/blob-sparse-array-assertion-failure-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/constructors/constructor-as-function-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/dom/Window/window-scaled-viewport-properties-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/dom/element-bounding-client-rect-relative-to-viewport-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/adjacent-html-context-element-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/article-element-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/body-offset-properties-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/crash-style-first-letter-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/details-element-render-inline-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/empty-fragment-id-goto-top-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/font-face-empty-should-not-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/process-end-tag-for-inbody-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/tabindex-removal-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/html/xhtml-serialize-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline-block/anonymous-block-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline-block/inline-block-vertical-align-2-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline-block/relative-positioned-rtl-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/fixed-pos-moves-with-abspos-parent-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/inline-body-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/inline-body-with-scrollbar-crash-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/skipped-whitespace-boundingBox-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/inline/skipped-whitespace-client-rect-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/005-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/innerHTML-case-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/innerHTML-iframe-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/innerHTML-nbsp-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/innerHTML-script-tag-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/innerHTML/javascript-url-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/add-to-primitive-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/direct-entry-to-function-code-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/do-while-expression-value-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/do-while-without-semicolon-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/exception-thrown-from-equal-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/exception-thrown-from-eval-inside-closure-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/exception-thrown-from-function-with-lazy-activation-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/B.1.1-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/regress-532041-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/regress-532254-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/strict-this-is-not-truthy-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/this-for-function-expression-recursion-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/mozilla/strict/unbrand-this-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/trivial-functions-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/var-declarations-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/vardecl-preserve-parameters-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/js/while-expression-value-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/media/matchmedium-query-api-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/replaced/computed-image-width-with-percent-height-inside-table-cell-and-fixed-ancestor-vertical-lr-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/replaced/image-map-2-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/ruby/before-block-doesnt-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/fast/writing-mode/percentage-padding-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/http/tests/download/inherited-encoding-form-submission-result-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/http/tests/security/no-javascript-refresh-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/link-body-content-imageDimensionChanged-crash-expected.txt
[modify] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/paletted-png-with-color-profile-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/paletted-png-with-color-profile-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/percent-height-image-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/png-extra-row-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/script-counter-imageDimensionChanged-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/size-failure-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/style-access-during-imageChanged-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/images/text-content-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/printing/css2.1/page-break-before-001-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/svg/animations/animate-update-crash-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/svg/carto.net/frameless-svg-parse-error-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/svg/in-html/svg-assert-failure-percentage-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/svg/stroke/zero-width-hang-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/transforms/3d/hit-testing/rotated-hit-test-with-child-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/virtual/media-gpu-accelerated/media/video-autoplay-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/virtual/media-gpu-accelerated/media/video-autoplay-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/webaudio/codec-tests/wav/24bit-22khz-resample-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/webaudio/codec-tests/wav/24bit-22khz-resample-expected.txt
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/webaudio/codec-tests/wav/24bit-44khz-expected.png
[add] https://crrev.com/b0622c15226e2c82d2ed5897167837bcb3130c3c/third_party/WebKit/LayoutTests/platform/android/webau

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/25e7d9294677e6ebfc4add4d3a665d4cafa52e5c

commit 25e7d9294677e6ebfc4add4d3a665d4cafa52e5c
Author: jbroman <jbroman@chromium.org>
Date: Thu Dec 01 16:33:36 2016

Remove failing expectation for http/tests/preload/dynamic_remove_preload_href.html.

Seems to have been erroneously added as part of "Enable Analytic AA Fix":
https://codereview.chromium.org/2538943002

BUG= 668907 
TBR=liyuqian@google.com,fmalita@chromium.org
NOTRY=true

Review-Url: https://codereview.chromium.org/2534313005
Cr-Commit-Position: refs/heads/master@{#435624}

[delete] https://crrev.com/a3baa5f8c33d60a57fc98d211da1d168c093ae52/third_party/WebKit/LayoutTests/platform/linux/http/tests/preload/dynamic_remove_preload_href-expected.txt

ClusterFuzz has detected this issue as fixed in range 435598:435621.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6738595726753792

Fuzzer: libfuzzer_skia_path_fuzzer
Job Type: libfuzzer_chrome_asan
Platform Id: linux

Crash Type: Heap-buffer-overflow WRITE 2
Crash Address: 0x61700000007e
Crash State:
  SkAlphaRuns::Break
  add
  RunBasedAdditiveBlitter::blitAntiH
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=434559:434567
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan&range=435598:435621

Minimized Testcase (0.05 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97DqUotSj3TbMJJ7ny4rG9jzffiy1fOHc54zSNiVTeHLLsLoNeqkvSgWT387k_UYZvOAKOBmQomypKGu9Bdb88volnwTWjMDWBe7T7r_F5cCCBfSb2zAPEDow3AoLPSQeBnnJqc0Aenz3iseRep_mtzxwQ8Aw?testcase_id=6738595726753792

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

tom@mozilla.com has asked to be CC'd on this bug in the hopes of pulling in the right patches to Mozilla. WDYT?

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot