Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/dae6f0ca22561ab9cef4a0e46d37faf67333a460 ([RootLayerScrolls] Speculative fix for crasher).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Issue 812216 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cd01cb4c6de95538b0e47fd304b81a2e9d7c3d2e

commit cd01cb4c6de95538b0e47fd304b81a2e9d7c3d2e
Author: Stefan Zager <szager@chromium.org>
Date: Wed Feb 14 18:31:51 2018

Speculative fix for crash in ScrollAnchor::Clear()

The line removed in this CL was added in:

https://chromium-review.googlesource.com/c/chromium/src/+/914864

That CL was to fix a crash, but the crash only occurs when
root layer scrolling is enabled.  The call to ScrollAnchor::Dispose
from LocalFrameView::Dispose was added just for completeness, but
does not affect the original crash.

This new crash suggests that LocalFrameView may still process scroll
events after Dispose() has been called.  Which is strange and
horrible, but probably not worth fully investigating at this point.
Instead, just remove the call to scroll_anchor_.Dispose() and wait
for root layer scrolling to make the surrounding code obsolete.

BUG= 812023 
R=skobes@chromium.org,bokan@chromium.org

Change-Id: I0715ab5a76e2fee6b4f378fc470d816b851bfa44
Reviewed-on: https://chromium-review.googlesource.com/919396
Reviewed-by: Steve Kobes <skobes@chromium.org>
Commit-Queue: Stefan Zager <szager@chromium.org>
Cr-Commit-Position: refs/heads/master@{#536759}
[modify] https://crrev.com/cd01cb4c6de95538b0e47fd304b81a2e9d7c3d2e/third_party/WebKit/Source/core/frame/LocalFrameView.cpp

This is currently Top#1 renderer crash on latest Chrome Canary i.e., 66.0.2247.0 on Windows and Mac. 

Users experienced this crash on the following builds:

Mac Canary 66.0.3347.0 -  17.10 CPM, 16 reports, 13 clients (signature blink::ScrollAnchor::Clear)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

ClusterFuzz has detected this issue as fixed in range 536747:536764.

Detailed report: https://clusterfuzz.com/testcase?key=5952542379606016

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::ScrollAnchor::Clear
  blink::LocalFrameView::UpdateScrollOffset
  blink::ScrollableArea::ScrollOffsetChanged
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=536325:536340
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=536747:536764

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5952542379606016

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5952542379606016 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.