Testcase 5629878757228544 is a top crash on ClusterFuzz for mac and windows platforms. Please prioritize fixing this crash.

Marking this crash as a Beta release blocker.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/945b31d85a3f01f5bb59e9c52f244aa704f28e27 (Compute a fragmented offset for control clips of input boxes.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Just to update, M-63 will be promoted to Beta next week. So requesting to plan the fix accordingly.

 Issue 774845  has been merged into this issue.

 Issue 774861  has been merged into this issue.

M63 beta promotion is coming VERY soon. Your bug is labelled as Beta ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/96e73b5e2b7a31a51a88456d2f507dd663e86975

commit 96e73b5e2b7a31a51a88456d2f507dd663e86975
Author: Chris Harrelson <chrishtr@chromium.org>
Date: Tue Oct 17 01:11:39 2017

Fix bug in earlier patch (*) to account for non-PaintLayer painting roots.

(*) https://chromium-review.googlesource.com/c/chromium/src/+/720200

Bug:  774859 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: I58db6c2344e486df53214e41ddeb31f5b9e6c086
Reviewed-on: https://chromium-review.googlesource.com/721800
Reviewed-by: Tien-Ren Chen <trchen@chromium.org>
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#509200}
[modify] https://crrev.com/96e73b5e2b7a31a51a88456d2f507dd663e86975/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilder.cpp
[modify] https://crrev.com/96e73b5e2b7a31a51a88456d2f507dd663e86975/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilderTest.cpp

ClusterFuzz has detected this issue as fixed in range 509195:509255.

Detailed report: https://clusterfuzz.com/testcase?key=5629878757228544

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Null-dereference
Crash Address: 0x0000006f
Crash State:
  blink::PaintLayer::VisualOffsetFromAncestor
  blink::PaintPropertyTreeBuilder::UpdatePropertiesForChildren
  blink::PrePaintTreeWalk::Walk
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=508949:508953
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=509195:509255

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5629878757228544

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6286351489302528 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M63. Please go ahead and merge the CL to branch 3239 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6655ed0df5c98ce5c17ba1c530e695295ade5fe3

commit 6655ed0df5c98ce5c17ba1c530e695295ade5fe3
Author: Chris Harrelson <chrishtr@chromium.org>
Date: Wed Oct 18 04:28:35 2017

Fix bug in earlier patch (*) to account for non-PaintLayer painting roots.

(*) https://chromium-review.googlesource.com/c/chromium/src/+/720200

TBR=chrishtr@chromium.org

(cherry picked from commit 96e73b5e2b7a31a51a88456d2f507dd663e86975)

Bug:  774859 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: I58db6c2344e486df53214e41ddeb31f5b9e6c086
Reviewed-on: https://chromium-review.googlesource.com/721800
Reviewed-by: Tien-Ren Chen <trchen@chromium.org>
Commit-Queue: Chris Harrelson <chrishtr@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#509200}
Reviewed-on: https://chromium-review.googlesource.com/724923
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/branch-heads/3239@{#46}
Cr-Branched-From: adb61db19020ed8ecee5e91b1a0ea4c924ae2988-refs/heads/master@{#508578}
[modify] https://crrev.com/6655ed0df5c98ce5c17ba1c530e695295ade5fe3/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilder.cpp
[modify] https://crrev.com/6655ed0df5c98ce5c17ba1c530e695295ade5fe3/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilderTest.cpp