Predator and CL did not provide any possible suspects.
Using Code Search for the file, "ImageDocument.cpp" assigning to the concern owner who might be related.

malaykeshav@ -- Could you please look into the issue, kindly re-assign if this is not related to your changes.

Thank You.

 Issue 765717  has been merged into this issue.

This seems unrelated to my change as it is caused due to an invalid cache state.

When you un-assign yourself from a bug you MUST reset the status to Untriaged.

I'll look at this shortly.

Reduced test case.

Crash only happens with these additional gn args:
is_asan = true
enable_ipc_fuzzer = true
is_component_build = false
v8_enable_verify_heap = true

Build content_shell and it only crashes in when run as a layout test, and it only crashes about 80% of the time. Note the image goes in a resources directory.

I have a tentative fix, but review is essential.

Deleted: fuzz-16.htm 464 bytes

fuzz-16.htm 464 bytes View Download

Deleted: image.gif 163 KB

	image.gif 163 KB View Download

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/834f9a32375933e5a4cef48a06c804f25f82b145

commit 834f9a32375933e5a4cef48a06c804f25f82b145
Author: Stephen Chenney <schenney@chromium.org>
Date: Wed Oct 04 13:42:39 2017

Fix null pointer access in ImageDocumentParser

When a image document is re-parented inside an iframe a race
condition exists between the creation of the
ImageContentResource and the parsing of the document.
ImageDocumentParser::Finish requests the CachedImageSize
which accesses a null image pointer inside the image loader.

Standard behavior for image resources is that they be cleared upon
re-parenting, so enforce that for the ImageContentResource as well.

R=hiroshige@chromium.org
BUG= 765917 

Change-Id: I93cea9f3eba879abc66d8b8226c3d56a5e02af1b
Reviewed-on: https://chromium-review.googlesource.com/679074
Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org>
Commit-Queue: Stephen Chenney <schenney@chromium.org>
Cr-Commit-Position: refs/heads/master@{#506377}
[add] https://crrev.com/834f9a32375933e5a4cef48a06c804f25f82b145/third_party/WebKit/LayoutTests/loader/iframed-image-reparent-crash.html
[add] https://crrev.com/834f9a32375933e5a4cef48a06c804f25f82b145/third_party/WebKit/LayoutTests/loader/resources/image.gif
[modify] https://crrev.com/834f9a32375933e5a4cef48a06c804f25f82b145/third_party/WebKit/Source/core/loader/ImageLoader.cpp

ClusterFuzz has detected this issue as fixed in range 506368:506383.

Detailed report: https://clusterfuzz.com/testcase?key=5868163425370112

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000010
Crash State:
  blink::ImageResourceContent::ImageSize
  blink::CachedImageSize
  blink::ImageDocumentParser::Finish
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=499928:499936
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=506368:506383

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5868163425370112

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5868163425370112 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.