Assigning to concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: Olli Etuaho
Project: chromium-angle
Changelist: https://chromium.googlesource.com/angle/angle.git/+/13389b663850f09d0fac7263abf80b23f25b2361
Time: Sun Oct 16 10:48:18 2016
Lines 500-520 of file IntermTraverse.cpp which potentially caused crash are changed in this cl (frame #2, "sh::TIntermTraverser::traverseBlock"; frame #4, "sh::TIntermTraverser::traverseBlock"; frame #6, "sh::TIntermTraverser::traverseBlock"). 

Lines 580-598 of file VariableInfo.cpp which potentially caused crash are changed in this cl (frame #0, "sh::CollectVariables::visitDeclaration").
Minimum distance from crash line to modified line: 0. (file: IntermTraverse.cpp, crashed on: 512, modified: 512).

@jamdill -- Could you please look into the issue, kindly re-assign if this is not related to your changes. Not adding the author as there is no chromium account.
Thank You.

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/8162926b2bbaba65cb5bb114403b4dac5b0677fe

commit 8162926b2bbaba65cb5bb114403b4dac5b0677fe
Author: Olli Etuaho <oetuaho@nvidia.com>
Date: Thu Apr 20 07:38:00 2017

Never add declarations without children to the AST

When block nodes were being created for loop bodies that didn't have
braces in the parsed source, the code didn't check if the loop body
was a declaration node without children. Always use appendStatement()
for adding statements to a block, so that declaration nodes without
children don't end up in the AST.

Similarly make sure that loop init nodes aren't declarations without
children.

BUG= chromium:712550 
TEST=angle_end2end_tests

Change-Id: I5e79b700fe6158fa2422fcf4cd13818b2bd24863
Reviewed-on: https://chromium-review.googlesource.com/481660
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Olli Etuaho <oetuaho@nvidia.com>

[modify] https://crrev.com/8162926b2bbaba65cb5bb114403b4dac5b0677fe/src/compiler/translator/Intermediate.cpp
[modify] https://crrev.com/8162926b2bbaba65cb5bb114403b4dac5b0677fe/src/tests/gl_tests/GLSLTest.cpp
[modify] https://crrev.com/8162926b2bbaba65cb5bb114403b4dac5b0677fe/src/compiler/translator/IntermNode.cpp
[modify] https://crrev.com/8162926b2bbaba65cb5bb114403b4dac5b0677fe/src/compiler/translator/IntermNode.h

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/8162926b2bbaba65cb5bb114403b4dac5b0677fe

commit 8162926b2bbaba65cb5bb114403b4dac5b0677fe
Author: Olli Etuaho <oetuaho@nvidia.com>
Date: Thu Apr 20 07:38:00 2017

Never add declarations without children to the AST

When block nodes were being created for loop bodies that didn't have
braces in the parsed source, the code didn't check if the loop body
was a declaration node without children. Always use appendStatement()
for adding statements to a block, so that declaration nodes without
children don't end up in the AST.

Similarly make sure that loop init nodes aren't declarations without
children.

BUG= chromium:712550 
TEST=angle_end2end_tests

Change-Id: I5e79b700fe6158fa2422fcf4cd13818b2bd24863
Reviewed-on: https://chromium-review.googlesource.com/481660
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Commit-Queue: Olli Etuaho <oetuaho@nvidia.com>

[modify] https://crrev.com/8162926b2bbaba65cb5bb114403b4dac5b0677fe/src/compiler/translator/Intermediate.cpp
[modify] https://crrev.com/8162926b2bbaba65cb5bb114403b4dac5b0677fe/src/tests/gl_tests/GLSLTest.cpp
[modify] https://crrev.com/8162926b2bbaba65cb5bb114403b4dac5b0677fe/src/compiler/translator/IntermNode.cpp
[modify] https://crrev.com/8162926b2bbaba65cb5bb114403b4dac5b0677fe/src/compiler/translator/IntermNode.h

Should be fixed in the next roll. Thanks Olli!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5c129fa2384499f365d593c3cb23a3921c98a845

commit 5c129fa2384499f365d593c3cb23a3921c98a845
Author: fjhenigman <fjhenigman@chromium.org>
Date: Thu Apr 20 21:25:37 2017

Roll ANGLE b812669..ba992ab

https://chromium.googlesource.com/angle/angle.git/+log/b812669..ba992ab

BUG=,chromium:712550

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2834703002
Cr-Commit-Position: refs/heads/master@{#466139}

[modify] https://crrev.com/5c129fa2384499f365d593c3cb23a3921c98a845/DEPS

ClusterFuzz has detected this issue as fixed in range 465939:466784.

Detailed report: https://clusterfuzz.com/testcase?key=6429365316616192

Fuzzer: afl_angle_translator_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  sh::CollectVariables::visitDeclaration
  sh::TIntermTraverser::traverseDeclaration
  sh::TIntermTraverser::traverseBlock
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=428621:428622
Fixed: https://clusterfuzz.com/revisions?job=afl_chrome_asan&range=465939:466784

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6429365316616192


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6429365316616192 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.