Predator and CL could not provide any possible suspects.

Using Code Search for the file, "CSSPaintDefinition.cpp" and observed there was some recent changes for the below file.

Suspect CL: https://chromium.googlesource.com/chromium/src/+/b4af84b4cb89dbb352464bbfa2eb2da5ba784a62%5E%21/third_party/WebKit/Source/modules/csspaint/CSSPaintDefinition.cpp

tzik@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

I thought we fixed this? Different issue?

Hmm, this is odd. My fix for this bug: https://bugs.chromium.org/p/chromium/issues/detail?id=803026

was merged to M65 on Jan. 25, which is the day when this bug is filed. I will investigate further.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/14f4cf3de62764050e51badf3979563c578c2bdf

commit 14f4cf3de62764050e51badf3979563c578c2bdf
Author: Xida Chen <xidachen@chromium.org>
Date: Tue Jan 30 17:39:03 2018

[PaintWorklet] Speculate fix for a null-deference in CSSPaintDefinition::Paint

It appears that under certain conditions (ASAN), the |script_state_|
in the CSSPaintDefinition is nullptr. Notice that the |script_state_|
itself is a scroped_refptr, it being null indicates that the
CSSPaintDefinition object itself is null.

The cluster fuzz seems to be able to repro this with a 29KB minimized
test case and I can never repro it locally with the same build args.
This CL is a speculate fix, and let's wait for fuzzer to tell us whether
the problem is fixed by this or not.

Bug:  806082 
Change-Id: Iad22be412709d697d42e111cbf74de972b094918
Reviewed-on: https://chromium-review.googlesource.com/891598
Reviewed-by: Stephen McGruer <smcgruer@chromium.org>
Commit-Queue: Xida Chen <xidachen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532932}
[modify] https://crrev.com/14f4cf3de62764050e51badf3979563c578c2bdf/third_party/WebKit/Source/modules/csspaint/PaintWorklet.cpp

tzik@, brajkuma@: is there anything special about the config here? I tried using the CF repro tool locally on a linux workstation, and here is what I got:

New crash type: 
New crash state:
  
Original crash type: Null-dereference READ
Original crash state:
  get
  blink::CSSPaintDefinition::Paint
  blink::PaintWorklet::Paint
The stacktrace doesn't match the original stacktrace.
Try again (3 times). Press Ctrl+C to stop trying to reproduce.

UnreproducibleError: The crash cannot be reproduced after trying 3 times.

On the report page, there is no crash in the last 7 days. It doesn't seem to repro anymore, closing this bug.

ClusterFuzz testcase 5099805513351168 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.

ClusterFuzz has detected this issue as fixed in range 537260:537261.

Detailed report: https://clusterfuzz.com/testcase?key=5099805513351168

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000008
Crash State:
  blink::CSSPaintDefinition::Paint
  blink::PaintWorklet::Paint
  blink::CSSPaintImageGeneratorImpl::Paint
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=537260:537261

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5099805513351168

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.