Test Predator has given the following results:

[Blink] Add new mode to use property tree to paint in SPv1 by trchen@chromium.org
Minimum distance between changed lines and stacktrace lines in PaintController.cpp is 20
Top touched frame is #2 blink::PaintController::FindOutOfOrderCachedItemForward(in PaintController.cpp)
Changed files BlockPainter.cpp, BoxClipper.cpp, ClipPathClipper.cpp, FilterPainter.cpp, FloatClipRecorder.cpp, FramePainter.cpp, LayerClipRecorder.cpp, PaintLayerPainter.cpp, PaintPropertyTreeBuilder.cpp, PaintPropertyTreeBuilder.h, README.md, RoundedInnerRectClipper.cpp, SVGFilterPainter.cpp, SVGMaskPainter.cpp, SVGPaintContext.cpp, SVGPaintContext.h, ScrollRecorder.cpp, ScrollableAreaPainter.cpp, Transform3DRecorder.cpp, TransformRecorder.cpp, ClipPathRecorder.cpp, ClipRecorder.cpp, CompositingRecorder.cpp, DisplayItem.h, PaintArtifact.cpp, PaintChunker.cpp, PaintController.cpp, PaintController.h, PaintControllerDebugData.cpp, PaintRecordBuilder.cpp, with the same CrashedDirectory(third_party/WebKit/Source/platform/graphics/paint) as DrawingRecorder.h (in frame#5, frame#6), PaintController.cpp (in frame#2, frame#3, frame#4, frame#5) Changed files BlockPainter.cpp, BoxClipper.cpp, ClipPathClipper.cpp, FilterPainter.cpp, FloatClipRecorder.cpp, FramePainter.cpp, LayerClipRecorder.cpp, PaintLayerPainter.cpp, PaintPropertyTreeBuilder.cpp, PaintPropertyTreeBuilder.h, README.md, RoundedInnerRectClipper.cpp, SVGFilterPainter.cpp, SVGMaskPainter.cpp, SVGPaintContext.cpp, SVGPaintContext.h, ScrollRecorder.cpp, ScrollableAreaPainter.cpp, Transform3DRecorder.cpp, TransformRecorder.cpp, ClipPathRecorder.cpp, ClipRecorder.cpp, CompositingRecorder.cpp, DisplayItem.h, PaintArtifact.cpp, PaintChunker.cpp, PaintController.cpp, PaintController.h, PaintControllerDebugData.cpp, PaintRecordBuilder.cpp, with the same CrashedDirectory(third_party/WebKit/Source/core/paint) as LayoutObjectDrawingRecorder.h (in frame#6)
Touched files in stacktrace - PaintController.cpp
Changed files BlockPainter.cpp, BoxClipper.cpp, ClipPathClipper.cpp, FilterPainter.cpp, FloatClipRecorder.cpp, FramePainter.cpp, LayerClipRecorder.cpp, PaintLayerPainter.cpp, PaintPropertyTreeBuilder.cpp, PaintPropertyTreeBuilder.h, README.md, RoundedInnerRectClipper.cpp, SVGFilterPainter.cpp, SVGMaskPainter.cpp, SVGPaintContext.cpp, SVGPaintContext.h, ScrollRecorder.cpp, ScrollableAreaPainter.cpp, Transform3DRecorder.cpp, TransformRecorder.cpp, GraphicsLayer.cpp, GraphicsLayer.h, PaintChunksToCcLayer.cpp, PaintChunksToCcLayer.h, ClipPathRecorder.cpp, ClipRecorder.cpp, CompositingRecorder.cpp, DisplayItem.h, PaintArtifact.cpp, PaintChunker.cpp, PaintController.cpp, PaintController.h, PaintControllerDebugData.cpp, PaintRecordBuilder.cpp, with the same CrashedComponent(Blink>Paint) as DrawingRecorder.h (in frame#5, frame#6), PaintController.cpp (in frame#2, frame#3, frame#4, frame#5), LayoutObjectDrawingRecorder.h (in frame#6)

@trchen  -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.

Thank You.

I reduced it further. Seems to have something to do with mask painting.

Step to repro:
out/Release/content_shell --enable-blink-features=PaintUnderInvalidationChecking fuzz-19-repaint-child-of-squashed.html

Deleted: fuzz-19-repaint-child-of-squashed.html 390 bytes

fuzz-19-repaint-child-of-squashed.html 390 bytes View Download

This is a bug of under-invalidation checking itself. Just tried https://chromium-review.googlesource.com/c/chromium/src/+/692495 locally and it didn't crash.

Just tried to bisect locally. The regression range reported by the bot is incorrect. The CHECK probably failed since very beginning.

Also it is a diagnosis check that doesn't run under production flags, thus removing related labels.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/25eefe8eafbb81a6bcdd55ca1b1557009adef922

commit 25eefe8eafbb81a6bcdd55ca1b1557009adef922
Author: Xianzhu Wang <wangxianzhu@chromium.org>
Date: Tue Oct 03 18:25:13 2017

Reland "Fix false-positives of under-invalidation checking in layout tests"

This reverts commit d5830561dbba8913c652a7589d3b691708d4c0c0.

This reland fixes bugs in the original CL:
- When ending under-invalidation checking for a subsequence containing
  cache skipping display items, set next_item_to_match_ and next_item_to_index_
  to let remaining display items match normally.
- Fix DCHECK failure when ending an empty subsequence in a cached
  subsequence.
- Fix bug that under-invalidation checking of a parent subsequence
  was end by a child subsequence.

Original change's description:
> Revert "Fix false-positives of under-invalidation checking in layout tests"
> 
> This reverts commit 206bdc858ad26bc02172a308e6836921a1e41b38.
> 
> Reason for revert:
> 
> Several paint-related tests have begun crashing on "Linux Trusty (dbg)" after landing this patch, flakily hitting a CHECK in
> `PaintController.cpp` (see the log in 
> https://storage.googleapis.com/chromium-layout-test-archives/WebKit_Linux_Trusty__dbg_/5565/layout-test-results/paint/invalidation/video-mute-repaint-stderr.txt).
> It looks like this kind of crash happened while landing the patch as
> well, at least on https://storage.googleapis.com/chromium-layout-test-archives/linux_layout_tests_slimming_paint_v2/6682/layout-test-results/results.html).
> I'll revert it.
> 
> 
> Original change's description:
> > Fix false-positives of under-invalidation checking in layout tests
> > 
> > In the following few cases we intentionally allow under-invalidations in
> > cached subsequences:
> > - offscreen image animation
> > - media buffered range
> > 
> > We intentionally don't update each time the contents change to improve
> > performance or avoid complex implementation of real time change
> > notification.
> > 
> > Now allow cache skipping in cached subsequences.
> > 
> > Enable under-invalidation checking for tests that would have reported
> > under-invalidation with the checking enabled.
> > 
> > This also helps clusterfuzz not to trigger under-invaldiation checking
> > failures when it creates a test for the above cases.
> > 
> > Bug:  769729 
> > Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
> > Change-Id: I2149e9d2304dbad5d7486c822d5452c5dba237fe
> > Reviewed-on: https://chromium-review.googlesource.com/690851
> > Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
> > Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#505281}
> 
> TBR=wangxianzhu@chromium.org,chrishtr@chromium.org
> 
> Change-Id: Id0ddbc90d9cf4436fe10dc81485d9f13edef6f1a
> No-Presubmit: true
> No-Tree-Checks: true
> No-Try: true
> Bug:  769729 ,  769879 
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
> Reviewed-on: https://chromium-review.googlesource.com/691814
> Reviewed-by: Mike West <mkwst@chromium.org>
> Commit-Queue: Mike West <mkwst@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#505327}

Change-Id: Idd2cd531d8fb6ac7b1a7e0330e69c2e8c93f6c33
Bug:  769729 ,  769772 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Reviewed-on: https://chromium-review.googlesource.com/692495
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#506110}
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/FlagExpectations/enable-slimming-paint-v2
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/TestExpectations
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/media/media-document-audio-repaint.html
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/animated-gif-offscreen.html
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/animated-gif-transformed-offscreen.html
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/animated-png-offscreen.html
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/animated-webp-offscreen.html
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/svg/animated-svg-as-image-background-offscreen.html
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/svg/animated-svg-as-image-offscreen.html
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/svg/animated-svg-as-image-transformed-offscreen.html
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/video-mute-repaint.html
[rename] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/video-paint-invalidation-expected.txt
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/LayoutTests/paint/invalidation/video-unmute-repaint.html
[delete] https://crrev.com/67c1b8b0c8dc413606d8d03685d3549b1ac6c6b2/third_party/WebKit/LayoutTests/platform/linux/paint/invalidation/video-paint-invalidation-expected.txt
[delete] https://crrev.com/67c1b8b0c8dc413606d8d03685d3549b1ac6c6b2/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/video-paint-invalidation-expected.txt
[delete] https://crrev.com/67c1b8b0c8dc413606d8d03685d3549b1ac6c6b2/third_party/WebKit/LayoutTests/platform/win7/paint/invalidation/video-paint-invalidation-expected.txt
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/Source/platform/graphics/paint/PaintController.cpp
[modify] https://crrev.com/25eefe8eafbb81a6bcdd55ca1b1557009adef922/third_party/WebKit/Source/platform/graphics/paint/PaintControllerTest.cpp

ClusterFuzz has detected this issue as fixed in range 506047:506154.

Detailed report: https://clusterfuzz.com/testcase?key=6043648071565312

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false. Can't find cached display item in PaintController.cpp
  blink::PaintController::FindOutOfOrderCachedItemForward
  blink::PaintController::FindCachedItem
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=501156:501180
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=506047:506154

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6043648071565312

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6043648071565312 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.