Predator could not provide any possible suspects.
Using CL for the file, "PaintPropertyTreeBuilder.cpp" assigning to the concern owner who might be related.

Suspecting Commit# https://chromium.googlesource.com/chromium/src/+/3c953ed108223409d9a0d0fb9d324cf5db808923

chrishtr@-- Could you please look into the issue, kindly re-assign if this is not related to your changes.


Thank You.

Testcase 4508669726425088 is a top crash on ClusterFuzz for windows platform. Please prioritize fixing this crash.

Marking this crash as a Beta release blocker.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

M63 is branching on this Thursday (10/12) and M63 beta promotion is coming very soon. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix ASAP. Thank you.

Could this be related to Issue 773181?

I can't reproduce this on Linux release, debug or asan. Trying windows now.

The bug is that a LayoutSVGRoot may not have a PaintLayer.

Issue 773181 has been merged into this issue.

 Issue 773230  has been merged into this issue.

 Issue 773257  has been merged into this issue.

https://chromium-review.googlesource.com/c/chromium/src/+/717564

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/68c4cdbe80c1a578c9321d2a98f61939fc54c39d

commit 68c4cdbe80c1a578c9321d2a98f61939fc54c39d
Author: Chris Harrelson <chrishtr@chromium.org>
Date: Fri Oct 13 21:05:51 2017

Allow for paint offset roots that don't have PaintLayers.

LayoutSVGRoot is not always a stacking context at present,
so it does not always have a PaintLayer.

Bug:  773198 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: Ia146f3a90512b98de961bd1f243b9e8439c6d382
Reviewed-on: https://chromium-review.googlesource.com/717564
Reviewed-by: Tien-Ren Chen <trchen@chromium.org>
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#508817}
[modify] https://crrev.com/68c4cdbe80c1a578c9321d2a98f61939fc54c39d/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilder.cpp
[modify] https://crrev.com/68c4cdbe80c1a578c9321d2a98f61939fc54c39d/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilder.h
[modify] https://crrev.com/68c4cdbe80c1a578c9321d2a98f61939fc54c39d/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilderTest.cpp

ClusterFuzz has detected this issue as fixed in range 508786:508875.

Detailed report: https://clusterfuzz.com/testcase?key=4508669726425088

Fuzzer: bj_broddelwerk
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x0000000c
Crash State:
  blink::PaintPropertyTreeBuilder::UpdatePropertiesForSelf
  blink::PrePaintTreeWalk::Walk
  blink::PrePaintTreeWalk::Walk
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=507390:507552
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=508786:508875

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4508669726425088

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4508669726425088 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M63. Please go ahead and merge the CL to branch 3239 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/264b84e3ce20c18b203de22da7c19a075b6941aa

commit 264b84e3ce20c18b203de22da7c19a075b6941aa
Author: Chris Harrelson <chrishtr@chromium.org>
Date: Sun Oct 15 05:54:55 2017

Allow for paint offset roots that don't have PaintLayers.

LayoutSVGRoot is not always a stacking context at present,
so it does not always have a PaintLayer.

TBR=chrishtr@chromium.org

(cherry picked from commit 68c4cdbe80c1a578c9321d2a98f61939fc54c39d)

Bug:  773198 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: Ia146f3a90512b98de961bd1f243b9e8439c6d382
Reviewed-on: https://chromium-review.googlesource.com/717564
Reviewed-by: Tien-Ren Chen <trchen@chromium.org>
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#508817}
Reviewed-on: https://chromium-review.googlesource.com/719586
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239@{#8}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[modify] https://crrev.com/264b84e3ce20c18b203de22da7c19a075b6941aa/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilder.cpp
[modify] https://crrev.com/264b84e3ce20c18b203de22da7c19a075b6941aa/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilder.h
[modify] https://crrev.com/264b84e3ce20c18b203de22da7c19a075b6941aa/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilderTest.cpp