> Predator was unable to identify any culprit changelists for this test case. 

> Unable to find actual suspect through code search and also observing no possible suspect CL under regression range, hence adding appropriate label and requesting someone from blink team to look in to this issue.

Thanks!

When I ran this on debug build on Linux, I got this DCHECK():
[1:1:0426/183059.849860:FATAL:compositing_layer_property_updater.cc(42)] Check failed: layout_snapped_paint_offset == snapped_paint_offset || subpixel_accumulation_may_be_bogus. 
#0 0x7fbcc5b0672d base::debug::StackTrace::StackTrace()
#1 0x7fbcc583153c base::debug::StackTrace::StackTrace()
#2 0x7fbcc58a2eea logging::LogMessage::~LogMessage()
#3 0x7fbcb679558e blink::CompositingLayerPropertyUpdater::Update()
#4 0x7fbcb685c9fe blink::PrePaintTreeWalk::WalkInternal()
#5 0x7fbcb685c034 blink::PrePaintTreeWalk::Walk()
#6 0x7fbcb685c08d blink::PrePaintTreeWalk::Walk()
#7 0x7fbcb685c08d blink::PrePaintTreeWalk::Walk()
#8 0x7fbcb685c08d blink::PrePaintTreeWalk::Walk()
#9 0x7fbcb685c08d blink::PrePaintTreeWalk::Walk()
#10 0x7fbcb685bc5d blink::PrePaintTreeWalk::Walk()
#11 0x7fbcb685b745 blink::PrePaintTreeWalk::WalkTree()
#12 0x7fbcb5e73c13 blink::LocalFrameView::PrePaint()
#13 0x7fbcb5e71cd9 blink::LocalFrameView::UpdateLifecyclePhasesInternal()
#14 0x7fbcb5e710c2 blink::LocalFrameView::UpdateAllLifecyclePhases()
#15 0x7fbcb670735b blink::PageAnimator::UpdateAllLifecyclePhases()
#16 0x7fbcb670cc0c blink::PageWidgetDelegate::UpdateLifecycle()
#17 0x7fbcb5d5b258 blink::WebViewImpl::UpdateLifecycle()
#18 0x7fbcb5effad7 blink::WebViewFrameWidget::UpdateLifecycle()
#19 0x7fbcc3b66d76 content::RenderWidget::UpdateVisualState()
#20 0x7fbcc396d080 content::RenderWidgetCompositor::UpdateLayerTreeHost()
#21 0x7fbcbfa046b0 cc::LayerTreeHost::RequestMainFrameUpdate()
#22 0x7fbcbfaf81bc cc::ProxyMain::BeginMainFrame()
#23 0x7fbcbfaf4d83 _ZN4base8internal13FunctorTraitsIMN2cc9ProxyMainEFvNSt3__110unique_ptrINS2_28BeginMainFrameAndCommitStateENS4_14default_deleteIS6_EEEEEvE6InvokeINS_7WeakPtrIS3_EEJS9_EEEvSB_OT_DpOT0_
#24 0x7fbcbfaf4b95 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIMN2cc9ProxyMainEFvNSt3__110unique_ptrINS4_28BeginMainFrameAndCommitStateENS6_14default_deleteIS8_EEEEENS_7WeakPtrIS5_EEJSB_EEEvOT_OT0_DpOT1_
#25 0x7fbcbfaf4a4c _ZN4base8internal7InvokerINS0_9BindStateIMN2cc9ProxyMainEFvNSt3__110unique_ptrINS3_28BeginMainFrameAndCommitStateENS5_14default_deleteIS7_EEEEEJNS_7WeakPtrIS4_EENS0_13PassedWrapperISA_EEEEEFvvEE7RunImplISC_NS5_5tupleIJSE_SG_EEEJLm0ELm1EEEEvOT_OT0_NS5_16integer_sequenceImJXspT1_EEEE
#26 0x7fbcbfaf4939 _ZN4base8internal7InvokerINS0_9BindStateIMN2cc9ProxyMainEFvNSt3__110unique_ptrINS3_28BeginMainFrameAndCommitStateENS5_14default_deleteIS7_EEEEEJNS_7WeakPtrIS4_EENS0_13PassedWrapperISA_EEEEEFvvEE7RunOnceEPNS0_13BindStateBaseE
#27 0x7fbcc57e01de _ZNO4base12OnceCallbackIFvvEE3RunEv
#28 0x7fbcc5832a02 base::debug::TaskAnnotator::RunTask()
#29 0x7fbcb38fae4d blink::scheduler::internal::ThreadControllerImpl::DoWork()
#30 0x7fbcb38fdbd1 _ZN4base8internal13FunctorTraitsIMN5blink9scheduler8internal20ThreadControllerImplEFvNS4_19SequencedTaskSource8WorkTypeEEvE6InvokeIRKNS_7WeakPtrIS5_EEJRKS7_EEEvS9_OT_DpOT0_
#31 0x7fbcb38fdb35 _ZN4base8internal12InvokeHelperILb1EvE8MakeItSoIRKMN5blink9scheduler8internal20ThreadControllerImplEFvNS6_19SequencedTaskSource8WorkTypeEERKNS_7WeakPtrIS7_EEJRKS9_EEEvOT_OT0_DpOT1_
#32 0x7fbcb38fdaad _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler8internal20ThreadControllerImplEFvNS5_19SequencedTaskSource8WorkTypeEEJNS_7WeakPtrIS6_EES8_EEEFvvEE7RunImplIRKSA_RKNSt3__15tupleIJSC_S8_EEEJLm0ELm1EEEEvOT_OT0_NSJ_16integer_sequenceImJXspT1_EEEE
#33 0x7fbcb38fd9bc _ZN4base8internal7InvokerINS0_9BindStateIMN5blink9scheduler8internal20ThreadControllerImplEFvNS5_19SequencedTaskSource8WorkTypeEEJNS_7WeakPtrIS6_EES8_EEEFvvEE3RunEPNS0_13BindStateBaseE
#34 0x7fbcc57e01de _ZNO4base12OnceCallbackIFvvEE3RunEv
#35 0x7fbcc5832a02 base::debug::TaskAnnotator::RunTask()
#36 0x7fbcc58c2069 base::internal::IncomingTaskQueue::RunTask()
#37 0x7fbcc58cb147 base::MessageLoop::RunTask()
#38 0x7fbcc58cb3b8 base::MessageLoop::DeferOrRunPendingTask()
#39 0x7fbcc58cb6e9 base::MessageLoop::DoWork()
#40 0x7fbcc58ced57 base::MessagePumpDefault::Run()
#41 0x7fbcc58ca93b base::MessageLoop::Run()
#42 0x7fbcc5973fed base::RunLoop::Run()
#43 0x7fbcc3b930e5 content::RendererMain()
#44 0x7fbcc3fc1206 content::RunZygote()
#45 0x7fbcc3fc3dde content::RunNamedProcessTypeMain()
#46 0x7fbcc3fc75f4 content::ContentMainRunnerImpl::Run()
#47 0x7fbcc3fba935 content::ContentServiceManagerMainDelegate::RunEmbedderProcess()
#48 0x7fbcb990ce9c service_manager::Main()
#49 0x7fbcc3fc0b45 content::ContentMain()
#50 0x00000062f153 main
#51 0x7fbca89692b1 __libc_start_main
#52 0x00000062f02a _start

I guess the null pointer access happened after passing this DCHECK
on release builds.

Assigning Blink>Paint for further triage.

NUll reads are not p1, which is fortunate since this seems like a hellish case to  debug.

The assert is probably not the underlying cause. We're hitting it a lot recently. I think the test needs to be re-run without that assert active. I can try that.

ClusterFuzz has detected this issue as fixed in range 559349:559378.

Detailed report: https://clusterfuzz.com/testcase?key=4889619704053760

Fuzzer: marty_html_twiddler
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  base::ThreadFunc
  _pthread_body
  _pthread_start
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=559349:559378

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4889619704053760

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4889619704053760 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.