enne@ can you please take a look at this? Clusterfuzz points to https://chromium.googlesource.com/chromium/src/+/762276ecdfbff938d3b7431ad0ed00c3ab6a4136 which seems like a believable suspect CL.

thanks!

I'll take a look.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6667be4ffb8c4e01654f2dc2471371e83dfecacd

commit 6667be4ffb8c4e01654f2dc2471371e83dfecacd
Author: enne <enne@chromium.org>
Date: Tue Mar 07 18:58:47 2017

Revert of Make cc/paint have concrete types (patchset #36 id:700001 of https://codereview.chromium.org/2690583002/ )

Reason for revert:
Invalid casts from SkMiniPicture to PaintRecord

BUG= 699105 

Original issue's description:
> Make cc/paint have concrete types
>
> This changes PaintCanvas, PaintFlags, PaintSurface, and PaintRecorder
> to all be real types (that forward to Skia types internally).  PaintShader
> is left as-is for now.  This will force callers to use the correct
> types in the rest of Chromium as the internals of these classes are
> rewritten in future patches.
>
> This code also changes a number of callers elsewhere in the codebase
> that want to wrap an SkCanvas in a PaintCanvas.  As SkCanvas has no
> constructor that takes an SkCanvas*, this change had to wait for this
> final conversion patch.
>
> In general, if code wants to raster directly into a bitmap with local
> code, it should use Skia directly.  If code wants to raster into a bitmap
> with paint callers, it can wrap that bitmap in a PaintCanvas.  Similarly,
> if code wants to go into an accelerated SkSurface, it should wrap that
> surface's canvas in a PaintCanvas (as blink html canvas code does).
>
> BUG= 671433 
>
> CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
>
> Review-Url: https://codereview.chromium.org/2690583002
> Cr-Commit-Position: refs/heads/master@{#454962}
> Committed: https://chromium.googlesource.com/chromium/src/+/762276ecdfbff938d3b7431ad0ed00c3ab6a4136

TBR=danakj@chromium.org,ddorwin@chromium.org,derat@chromium.org,junov@chromium.org,nick@chromium.org,vitalybuka@chromium.rg,vmpstr@chromium.org,thestig@chromium.org,vitalybuka@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= 671433 

Review-Url: https://codereview.chromium.org/2739533003
Cr-Commit-Position: refs/heads/master@{#455164}

[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/ash/common/shelf/overflow_button.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/ash/common/shelf/shelf_button.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/cc/layers/painted_overlay_scrollbar_layer.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/cc/paint/BUILD.gn
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/cc/paint/paint_canvas.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/cc/paint/paint_canvas.h
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/cc/paint/paint_flags.h
[delete] https://crrev.com/b1d2e017aef891e5d9bbd4d58b22fe9b08c46db3/cc/paint/paint_record.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/cc/paint/paint_record.h
[delete] https://crrev.com/b1d2e017aef891e5d9bbd4d58b22fe9b08c46db3/cc/paint/paint_recorder.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/cc/paint/paint_recorder.h
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/cc/paint/paint_shader.h
[delete] https://crrev.com/b1d2e017aef891e5d9bbd4d58b22fe9b08c46db3/cc/paint/paint_surface.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/cc/paint/paint_surface.h
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/content/child/browser_font_resource_trusted.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/content/renderer/gpu/gpu_benchmarking_extension.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/media/renderers/skcanvas_video_renderer_unittest.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/printing/pdf_metafile_skia.cc
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/core/svg/graphics/SVGImageTest.cpp
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/platform/graphics/Canvas2DLayerBridge.cpp
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/platform/graphics/Canvas2DLayerBridge.h
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/platform/graphics/DeferredImageDecoderTest.cpp
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/platform/graphics/GraphicsContext.cpp
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/platform/graphics/UnacceleratedImageBufferSurface.cpp
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/platform/graphics/UnacceleratedImageBufferSurface.h
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/platform/graphics/gpu/AcceleratedImageBufferSurface.cpp
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/platform/graphics/gpu/AcceleratedImageBufferSurface.h
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/third_party/WebKit/Source/platform/graphics/paint/PaintCanvas.h
[modify] https://crrev.com/6667be4ffb8c4e01654f2dc2471371e83dfecacd/ui/gfx/paint_vector_icon_unittest.cc

<3 ubsan

ClusterFuzz has detected this issue as fixed in range 455091:455392.

Detailed report: https://clusterfuzz.com/testcase?key=5758715727970304

Fuzzer: bcrane-css-mutator
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x306af743d1b0
Crash State:
  Bad-cast to cc::PaintRecord from SkMiniPicture<SkRecords::DrawRect>
  blink::GraphicsContext::endRecording
  blink::DrawingRecorder::~DrawingRecorder
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=454873:455052
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=455091:455392

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95gmcl0_YSw0yHCJyCaoimbondSFrcC_UMk8qh9nSFXAoPDsAtlmr61WDmDxzHRqTBumBthEg-19XhGQOthKVRv23bcKVe4cM4JM65WcrVKheIGIKaFj7RRPi2ccU0K09oz3-p5xP0YLXgkRp1oUS2ch7htqcT2Kf-x726zsvaEI9PxXoQvBbqLd7mSKiiZnKNN4ZwqOeqiLc7GU-ybboBVvZNaOjhqwe6nyylA_dJKpKRWVM7U6eQRzWcKP29y-spC7GzLrsfEOBAgLinRNpPmf0F7goax1LGLWPSlX2GEnN9-N-YX6S_ZjSZXZkLUqvVUUtST6vHab3cu2vLdhG63Y8JgXEi_-DKvdhrpmqp-yCZbzYc?testcase_id=5758715727970304


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot