Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/f89ae106e06d15200d783cb6950961ba999edebe ([Blink/SPv1] Move composited clip-path to share layer with masks).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99c730c6ce14ca0290cf8c05eedd5c66ecb8bb93

commit 99c730c6ce14ca0290cf8c05eedd5c66ecb8bb93
Author: Tien-Ren Chen <trchen@chromium.org>
Date: Tue Jan 30 23:32:21 2018

[Blink] Fix dangling pointer to destroyed child clipping mask layer

The contents clipping mask layer on the main graphics layer needs to be
updated unconditionally because otherwise we can have dangling pointer
to a destroyed mask when both the mask and the contents layer are
destroyed at the same time.

BUG= 807240 

Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: Ica51387507232c20f1deacf9572546490f587eb9
Reviewed-on: https://chromium-review.googlesource.com/894194
Commit-Queue: Tien-Ren Chen <trchen@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#533080}
[modify] https://crrev.com/99c730c6ce14ca0290cf8c05eedd5c66ecb8bb93/third_party/WebKit/Source/core/paint/compositing/CompositedLayerMapping.cpp

ClusterFuzz has detected this issue as fixed in range 533066:533165.

Detailed report: https://clusterfuzz.com/testcase?key=4773602277457920

Fuzzer: inferno_canvas_wrecker
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Heap-use-after-free READ 2
Crash Address: 0x615000064b68
Crash State:
  blink::GraphicsLayer::PaintRecursivelyInternal
  blink::GraphicsLayer::PaintRecursivelyInternal
  blink::GraphicsLayer::PaintRecursivelyInternal
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=532613:532705
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=533066:533165

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4773602277457920

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4773602277457920 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot