wangxianzhu: can you take a look at this please?

This is an under-invalidation. It doesn't have security impact because we won't access any field of the target type before returning from the method. We can avoid the cast failure though, and definitely should fix the under-invalidation.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b09bc11cad3b56a0fa31387df5afae73cd95a053

commit b09bc11cad3b56a0fa31387df5afae73cd95a053
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Tue Jan 17 21:49:56 2017

Fix FilterDisplayItem::equals()

- DisplayItem::equals() should be checked before casting in case that
  |other| is not a BeginFilterDisplayItem, to avoid bad-cast errors
  on asan.
- Add equality checking for m_compositorFilterOperations.

BUG= 679717 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2642473002
Cr-Commit-Position: refs/heads/master@{#444155}

[modify] https://crrev.com/b09bc11cad3b56a0fa31387df5afae73cd95a053/third_party/WebKit/Source/platform/graphics/CompositorFilterOperations.cpp
[modify] https://crrev.com/b09bc11cad3b56a0fa31387df5afae73cd95a053/third_party/WebKit/Source/platform/graphics/CompositorFilterOperations.h
[modify] https://crrev.com/b09bc11cad3b56a0fa31387df5afae73cd95a053/third_party/WebKit/Source/platform/graphics/paint/FilterDisplayItem.h

ClusterFuzz has detected this issue as fixed in range 444071:444176.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5918821207769088

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x1fbd83a41a50
Crash State:
  Bad-cast to const blink::BeginFilterDisplayItem from blink::DrawingDisplayItem
  blink::BeginFilterDisplayItem::equals
  blink::PaintController::checkUnderInvalidation
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=422899:423265
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=444071:444176

Minimized Testcase (1.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jKCayFfTe6TSVaiUXy3pbZKQDGAuGVK1wmzX4ww969jvTlD5X8TYI6vmIuweKxfZ-w8gYgAJ_vFSQ61-W07_0sRkz7f0hxVWlblODOQH2YQF0vlJcgiNWzrQVkJiyJDW4Pf1dPDILytc5AhHxusc_QV_IF-OffS0Ni56nTbp6SBg45fXrYsDDdFTP6JJTlS-YU5aOzr9ILENQBlLiyJ8LxRu9A6aD7lADHbvW_gqQftpiM4IeHGmFfMG7p8WpvX6gz4LN8JFwDM1CVVc_Zyp6CK_Kqj8Fz9MzHWtwjxwLrn-mQoikpS0sQDXfCAwxWWp-6pjwRazLwDXXVGXAjOWIwzKnGn18dC7-em9mJKidPiKwukzSI-IMYjpZMZRWc2n0s2hPaKZaFZr2aihPNncYYSN9Wg?testcase_id=5918821207769088

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5918821207769088 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Reopen because the underlying under-invalidation has not been fixed.

No under-invalidation reported when running the test on ToT.