Assigning to the concern owner from Predator results -- 
Regression information is not available. The result is the blame information. 

Author: jbauman@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/c6aef90f9f927ac75bb99d6d77782fc33c37769d
Time: Tue Feb 14 03:31:42 2012
The CL last changed line 10393 of file gles2_cmd_decoder.cc, which is stack frame 6. 

Author: avi
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f15d60a96eb149666e20e1b1f2afc7914096df0f
Time: Mon Dec 21 17:06:33 2015
The CL last changed line 10429 of file gles2_cmd_decoder.cc, which is stack frame 7. 

Author: vmiura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/8266ca7b30020175e2564b9760597672f7f3ad57
Time: Tue Sep 09 21:37:00 2014
The CL last changed line 5276 of file gles2_cmd_decoder.cc, which is stack frame 8. 

Author: Antoine Labour
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/be0c1281af4417e8b27b967cc067ad388e577bf8
Time: Thu May 25 23:04:10 2017
The CL last changed line 235 of file command_buffer_service.cc, which is stack frame 9. 

Author: Antoine Labour
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/be0c1281af4417e8b27b967cc067ad388e577bf8
Time: Thu May 25 23:04:10 2017
The CL last changed line 89 of file command_buffer_service.cc, which is stack frame 10. 

Author: sunnyps
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/4a6a3d8c391412023e86a755fd35840baa22e578
Time: Fri Sep 18 02:23:43 2015
The CL last changed line 973 of file gpu_command_buffer_stub.cc, which is stack frame 11. 

Author: tzik
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f7c47573b7686c59723f3b7da6d69f1ec494f23b
Time: Wed Apr 05 21:45:03 2017
The CL last changed line 77 of file tuple.h, which is stack frame 12.

Could some one please look into the issue and provide an update.
Thanks in Advance.

cc'ing more people on GPU team.

#0 0x7fff91e90e6c in glvmRasterOpRead
#1 0x7fff91e8b145 in glvmInterpretFPTransformFour
#2 0x7fff91b203d7 in gldLLVMFPTransform
#3 0x7fff91b34ad4 in gldLLVMVecPolyRender
#4 0x7fff91b1a4ec in gldRenderFillPolygonPtr
#5 0x135d3e56f  (<unknown module>)
#5 0x7fff8c1fe188 in glDrawElements_IMM_GL3Exec
#6 0x116cf0ca0 in gpu::gles2::GLES2DecoderImpl::DoDrawElements(char const*, bool, unsigned int, int, unsigned int, int, int) gpu/command_buffer/service/gles2_cmd_decoder.cc:10423:9

This sounds like another bug triggered deep inside the driver. The function names sound like this is a software rasterizer... can anyone more familiar with the Mac stack comment? Is this something we could enable locally to try to repro? The last instance of a similar bug I could never repro locally.

I wonder if it's related to  crbug.com/729387 

It looks like there's cases where we can generate out-of-bounds reads on the service side.

#4: Did you mean to link to a different issue?

copy/paste fail.  crbug.com/736639  is what I meant. Though looking deeper into it, I'm not super convinced that's the same.

Mac GL driver but, external component. Yes, it does look like a bug in the SW OpenGL driver.

ClusterFuzz has detected this issue as fixed in range 484005:484024.

Detailed report: https://clusterfuzz.com/testcase?key=6063806177607680

Fuzzer: marty_html_twiddler
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Bus
Crash Address: 0x62d10009f850
Crash State:
  glvmRasterOpRead
  glvmInterpretFPTransformFour
  gldLLVMFPTransform
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=484005:484024

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6063806177607680


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6063806177607680 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.