Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/d2819bd5ebfb32f0866d92ad6e62a45499e05517
Time: Tue Apr 04 23:13:31 2017
Lines 27-43, 67-68, 255 of file PrePaintTreeWalk.cpp which potentially caused crash are changed in this cl (frame #2, "PrePaintTreeWalkContext"; frame #3, "PrePaintTreeWalkContext"; frame #4, "blink::PrePaintTreeWalk::walk").
Minimum distance from crash line to modified line: 0. (file: PrePaintTreeWalk.cpp, crashed on: 27, modified: 27). 

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/81f28ed19f771fe93406496d1d23da137abcd602
Time: Sun Apr 02 21:45:28 2017
Lines 27-42, 67, 255, 281-286 of file PrePaintTreeWalk.cpp which potentially caused crash are changed in this cl (frame #2, "PrePaintTreeWalkContext"; frame #3, "PrePaintTreeWalkContext"; frame #4, "blink::PrePaintTreeWalk::walk"; frame #5, "blink::PrePaintTreeWalk::walk"; frame #6, "blink::PrePaintTreeWalk::walk"; frame #7, "blink::PrePaintTreeWalk::walk"; frame #8, "blink::PrePaintTreeWalk::walk").
Minimum distance from crash line to modified line: 0. (file: PrePaintTreeWalk.cpp, crashed on: 286, modified: 286). 

Author: wangxianzhu
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/b87cdfa7b1b594a30a76793904cf916c06048721
Time: Wed Mar 22 22:04:04 2017
Lines 51 of file PrePaintTreeWalk.cpp which potentially caused crash are changed in this cl (frame #2, "PrePaintTreeWalkContext").
Minimum distance from crash line to modified line: 0. (file: PrePaintTreeWalk.cpp, crashed on: 51, modified: 51). 

Author: chrishtr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/0be71969c80ff018be92afb6bba2076bf3c1f55f
Time: Mon Apr 03 19:49:44 2017
Lines 52-60 of file PrePaintTreeWalk.cpp which potentially caused crash are changed in this cl (frame #2, "PrePaintTreeWalkContext").
Minimum distance from crash line to modified line: 0. (file: PrePaintTreeWalk.cpp, crashed on: 52, modified: 52). 

Author: chrishtr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/acf76351e614fa82116875d8a054a0abfb83d39e
Time: Tue Apr 04 18:29:02 2017
Lines 52-60 of file PrePaintTreeWalk.cpp which potentially caused crash are changed in this cl (frame #2, "PrePaintTreeWalkContext").
Minimum distance from crash line to modified line: 0. (file: PrePaintTreeWalk.cpp, crashed on: 52, modified: 52).

@wanxianzhu -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

 Issue 709801  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a90d70bc3c688ca28d02aaf56fc25e2c2308960e

commit a90d70bc3c688ca28d02aaf56fc25e2c2308960e
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Tue Apr 18 22:50:09 2017

Fix background-attachment:local <li> crash during PrePaintTreeWalk

The crash was because of the SetShouldDoFullPaintInvalidation() call
during PrePaint while the ancestors didn't updated paint property
builder contexts.

(We still allow SetShouldDoFullPaintInvalidation() call during PrePaint
given that ancestors have updated their paint property builder contexts.
A case is on SPv2 when paint offset changes -- we are already updating
paint property builder context, so the SetShouldDoFullPaintInvalidation
call is valid. Invalid calls can be caught by the DCHECKs.)

BUG= 709798 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2823963002
Cr-Commit-Position: refs/heads/master@{#465405}

[add] https://crrev.com/a90d70bc3c688ca28d02aaf56fc25e2c2308960e/third_party/WebKit/LayoutTests/paint/invalidation/local-attachment-background-li-crash.html
[modify] https://crrev.com/a90d70bc3c688ca28d02aaf56fc25e2c2308960e/third_party/WebKit/Source/core/paint/BoxPaintInvalidator.cpp

ClusterFuzz testcase 5840823901224960 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 465403:465427.

Detailed report: https://clusterfuzz.com/testcase?key=6386881144291328

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  _platform_memmove$VARIANT$Nehalem
  blink::PrePaintTreeWalk::walk
  blink::PrePaintTreeWalk::walk
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=465403:465427

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96SVbYggjJpyg4oriAlLC4DAnVw3XCpFYG8_nqssMQotm7fTlaeYfAJW-PxPwV_fVcVLr7zg-NP8FGfRjDJ4E-0snQQn4r5OOPlyJ0OGDukH09zd4MF_r2l8kgsvLgEwqB0YPpJmN4Ya_H1DZwzs6eSBGlGe-7ToMq5AnAiusBqy5qiz3FadSvRvuqjhrH6kIOoFsMX1aBhfl--Ugx6DYQASFZWeX77ZPvhUtP6C0gHhia718BREM6jC9aQR-rtQt6KHWLoU1Z4_Of9ybcWL-Y0HBKFZdvzsyEy_d5mrOTbsgkEgRskJjnY9gi0i27zd8uJS2TjVY25fPehTZklbFwcczvJNc8d1HEi6v3nQzPS-M9PMVlsTDtLDeONjBMywoSO_W3Gu9bZkK-QXIuBMLwrIJ576w?testcase_id=6386881144291328


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 713025  has been merged into this issue.

Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1d9c07cad47b873b86556ef54e2b64a962f1f713

commit 1d9c07cad47b873b86556ef54e2b64a962f1f713
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Wed Apr 19 23:09:21 2017

Fix background-attachment:local <li> crash during PrePaintTreeWalk

The crash was because of the SetShouldDoFullPaintInvalidation() call
during PrePaint while the ancestors didn't updated paint property
builder contexts.

(We still allow SetShouldDoFullPaintInvalidation() call during PrePaint
given that ancestors have updated their paint property builder contexts.
A case is on SPv2 when paint offset changes -- we are already updating
paint property builder context, so the SetShouldDoFullPaintInvalidation
call is valid. Invalid calls can be caught by the DCHECKs.)

BUG= 709798 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2823963002
Cr-Commit-Position: refs/heads/master@{#465405}

TBR=wangxianzhu@chromium.org
NOPRESUBMIT=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2828963002
Cr-Commit-Position: refs/branch-heads/3071@{#70}
Cr-Branched-From: a106f0abbf69dad349d4aaf4bcc4f5d376dd2377-refs/heads/master@{#464641}

[add] https://crrev.com/1d9c07cad47b873b86556ef54e2b64a962f1f713/third_party/WebKit/LayoutTests/paint/invalidation/local-attachment-background-li-crash.html
[modify] https://crrev.com/1d9c07cad47b873b86556ef54e2b64a962f1f713/third_party/WebKit/Source/core/paint/BoxPaintInvalidator.cpp

 Issue 712803  has been merged into this issue.