I'm not sure why the sandbox code is tangled up in the stack, but the full stack trace seems like CFX_SkiaDeviceDriver.

ClusterFuzz has detected this issue as fixed in range 459064:459130.

Detailed report: https://clusterfuzz.com/testcase?key=5860028730048512

Fuzzer: attekett_surku_fuzzer
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x7f8534a627c0
Crash State:
  Bad-cast to sandbox::bpf_dsl::(anonymous namespace)::ReturnResultExprImpl from invalid vptr
  SkiaState::ClipRestore
  CFX_SkiaDeviceDriver::RestoreState
  
Sanitizer: cfi (CFI)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=459031:459064
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=459064:459130

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96t1or42soEEcZFA0PsCPi6qD0butmr9bBw8Z2v0vonQCHRW7MmMEdTClsKOFtkopyO_AgSqGQtwXvD-fJzx5h_TQtDnoFVx5vW_WHT-K35ujqlrM62csigSgBtk5_S2pdNTTL9wdHyCHk0VzD8BYD-8_2TB5k6Gy4OdOJUidhwC3XefdJeY77gbUxF70zsJqiv-Vjk4tFtjEV-QQUch-d6kNuBxdIZrUOwVbfXc3gX4xXsVaqHLUcUtALJa4t_gs3kZtWjAl7SvrJ2CSE2x77dyzWMug_0trivoa-yFHU53mnfoPBs_t90i_4d5UnJjGuWY6zdO6ejMnuXRcOebDfRQlxNsMQRYVppVbbhvYXPVT0z2F4-j-eFgGakE_RXROvjBJ1UygvTUrRbySSw3ZLzTpyWQA?testcase_id=5860028730048512


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot