Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: Brian Salomon
Project: chromium-skia
Changelist: https://skia.googlesource.com/skia.git/+/d3ccb0a37f0e62c84fdcd6a77b7b15476b04db7a
Time: Mon Apr 03 10:38:00 2017 -0400
Lines 320 of file GrTessellatingPathRenderer.cpp which potentially caused crash are changed in this cl (frame #4, "TessellatingPathOp::onPrepareDraws"). 

File GrMeshDrawOp.cpp is changed in this cl (and is part of stack frame #5, "GrMeshDrawOp::onPrepare")
Minimum distance from crash line to modified line: 0. (file: GrTessellatingPathRenderer.cpp, crashed on: 320, modified: 320).

@Brian Salomon -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Looks like an issue in the tessellated path renderer.

Reduced skia test case is attached.

(Note that the verb limit was also raised, since the path was linearized and
exceeds the verb count.)

Deleted: skia-clusterfuzz-716720.patch 151 KB

skia-clusterfuzz-716720.patch 151 KB Download

The following revision refers to this bug:
  https://skia.googlesource.com/skia/+/64dbb89efc9daba9f62b4a385354a77aaa54861e

commit 64dbb89efc9daba9f62b4a385354a77aaa54861e
Author: Stephen White <senorblanco@chromium.org>
Date: Thu May 04 05:10:48 2017

GrTessellator: fix for vertex coincident with enclosing edge.

If a previously-enclosing edge coincides exactly with the current 
vertex, there are no two adjacent edges which enclose the vertex.
Since find_enclosing_edges() ensures that the left enclosing edge
is to the left of the vertex, the fix is to split the right 
enclosing edge on the current vertex and restart intersection 
tests.

Bug:  716720 
Change-Id: Id26c5b92a6d6139f348e99554638cded37e81a8e
Reviewed-on: https://skia-review.googlesource.com/15261
Reviewed-by: Brian Salomon <bsalomon@google.com>
Commit-Queue: Stephen White <senorblanco@chromium.org>

[modify] https://crrev.com/64dbb89efc9daba9f62b4a385354a77aaa54861e/tests/TessellatingPathRendererTests.cpp
[modify] https://crrev.com/64dbb89efc9daba9f62b4a385354a77aaa54861e/src/gpu/GrTessellator.cpp

ClusterFuzz has detected this issue as fixed in range 469280:469289.

Detailed report: https://clusterfuzz.com/testcase?key=6636918067691520

Fuzzer: inferno_canvas_wrecker
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000050
Crash State:
  tessellate
  path_to_polys
  GrTessellator::PathToTriangles
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=469280:469289

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6636918067691520


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6636918067691520 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.