Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/06d238a9e9311f536cb7c930ee6b6c28987c60ed ([RootLayerScrolls] Clear clipping cache when scrollbars change.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This bug only happens when running tests (in this case, the "--run-layout-flag" to chromium).  Changing bug "type" away from security, since it cannot affect users.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/233ed9ec8e280080c5fa08c1ef4b3e7957861053

commit 233ed9ec8e280080c5fa08c1ef4b3e7957861053
Author: Stefan Zager <szager@chromium.org>
Date: Tue Feb 06 02:33:24 2018

Delay AXObject notifications until end of UpdateScrollOffset

Speculative fix for crasher: if the accessibility notification
callback modifies the DOM tree, it may cause unspecified behavior.

Note that the crash only happens when using WebFrameTestClient, so it
doesn't affect users.

BUG= 808767 
R=skobes@chromium.org

Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: I53183a9642b875d27468ddb10027b0efb6feb689
Reviewed-on: https://chromium-review.googlesource.com/902775
Reviewed-by: Steve Kobes <skobes@chromium.org>
Commit-Queue: Stefan Zager <szager@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534597}
[modify] https://crrev.com/233ed9ec8e280080c5fa08c1ef4b3e7957861053/third_party/WebKit/Source/core/paint/PaintLayerScrollableArea.cpp

This speculative fix didn't work, as it is still reproducing. 

ClusterFuzz has detected this issue as fixed in range 537047:537050.

Detailed report: https://clusterfuzz.com/testcase?key=5495448572526592

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x3fc5cba14150
Crash State:
  Bad-cast to blink::PaintLayer from invalid vptr
  blink::PaintLayerScrollableArea::GetLayoutBox
  blink::PaintLayerScrollableArea::UpdateScrollOffset
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=479114:479272
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=537047:537050

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5495448572526592

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot