Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: chaopeng
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/fe8765486d0c6b4e2e470bf284697fcb9aae5ea4
Time: Tue Mar 14 02:04:26 2017
Lines 241 of file FramePainter.cpp which potentially caused crash are changed in this cl (frame #0, "content_shell!blink::FramePainter::paintScrollCorner+0x12e").
Minimum distance from crash line to modified line: 0. (file: FramePainter.cpp, crashed on: 240, modified: 240).

@chaopeng -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

The test case is using an internals method that we don' ship so there isn't harm to users. Downgrading priority somewhat because of that but we should still look into it. I think the bug is that we're keeping around a GraphicsLayer for the scroll corner when no scrollbars exist. The scroll corner should have been destroyed when we "adjusted scrollbar existence" in FrameView.

Can not reproduce this issue on latest Window asan build. Tried open the the page (via http server) on Chrome and run in content_shell (w/o --run-layout-test).

It requires internals, did you remember to add --expose-internals-for-testing?

Did you try using --run-layout-test?

Tried --run-layout-test. 

ClusterFuzz has detected this issue as fixed in range 465765:465806.

Detailed report: https://clusterfuzz.com/testcase?key=5702718305075200

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000003
Crash State:
  blink::FramePainter::paintScrollCorner
  blink::PaintLayerCompositor::paintContents
  blink::GraphicsLayer::paintWithoutCommit
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=456508:456580
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=465765:465806

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97-vPK7A3k03GTXVONnA3EtjKhAgpjrQaZBHcBwVOHqDLaee5fuqSRCKX80ETWZLrIs_meaGoZJ1H32UokVV12p_lu7B8N6aqZp3CmgTkvdOeyerFWzVa1QKAfh4tY0Nuqy_n59NH2PdszOvC_Ui71DhQXD_mnQF1FQUly4uHhEGX11aaVdJcpBy2nItam81E2bNDoPnZa4yo1Jw8rOqb9bbo_Fxz_KTPh71YHEsusX_WdpoSWuVL1LkMmqbwjJMeAN23GNtLf9qqsAi7oXvYj8OjZSkHjbXJrx_xpSUKmJdJLf04U3DfqHZQxzBI12EUhyvyMz7lPPi6QiEjJSnoimyGxRuWtfPkEPUQbcM93FYEe3cCAKQ2e1H26tfQEPf2lUvOl0mlaRnE2eVOkDSiM-LwDXHQ?testcase_id=5702718305075200


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5702718305075200 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Hah, great work Chao! :P