Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/1de7bf475012870fbc4cb27aac5f2206444f5fe3 ([SPv175+] Cache fragmented display items and paint chunks).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f82f583c959661e2f8263d76073ec96e3c906ebd

commit f82f583c959661e2f8263d76073ec96e3c906ebd
Author: Xianzhu Wang <wangxianzhu@chromium.org>
Date: Wed Dec 27 22:31:03 2017

[PE] Don't create subseqeunces under fragmented frames

Because for now PaintLayer::PaginationContainer() doesn't cross frame
boundaries, fragmented frame contents don't know they are fragmented
and may create subsequences under multiple fragments.

Now skip cache when painting fragmented frames and don't create
subsequences if we are skipping cache, so that fragmented frame contents
won't create subsequences.

This fixes  bug 797491 , but we need a complete solution for bug 797779.

Bug:  797491 ,797779
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: Ib6000df445ade0e39c2fbf1c2bd406733ea9d99b
Reviewed-on: https://chromium-review.googlesource.com/844975
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#526247}
[modify] https://crrev.com/f82f583c959661e2f8263d76073ec96e3c906ebd/third_party/WebKit/Source/core/paint/EmbeddedContentPainter.cpp
[modify] https://crrev.com/f82f583c959661e2f8263d76073ec96e3c906ebd/third_party/WebKit/Source/core/paint/PaintLayerPainter.cpp
[modify] https://crrev.com/f82f583c959661e2f8263d76073ec96e3c906ebd/third_party/WebKit/Source/core/paint/PaintPropertyTreeBuilderTest.cpp
[modify] https://crrev.com/f82f583c959661e2f8263d76073ec96e3c906ebd/third_party/WebKit/Source/platform/graphics/GraphicsContext.h
[modify] https://crrev.com/f82f583c959661e2f8263d76073ec96e3c906ebd/third_party/WebKit/Source/platform/graphics/paint/PaintController.cpp

ClusterFuzz has detected this issue as fixed in range 526246:526247.

Detailed report: https://clusterfuzz.com/testcase?key=6038735459450880

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Security CHECK failure
Crash Address: 
Crash State:
  !cached_item->IsTombstone() in PaintController.cpp
  blink::PaintController::CopyCachedSubsequence
  blink::PaintController::UseCachedSubsequenceIfPossible
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=526117:526118
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=526246:526247

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6038735459450880

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6038735459450880 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.