The repro here is simply navigating to http://www.bettmeralp.com/pc/, a page with multiple HTML5 videos and some fancy visual effects.

Compositor folks, can you PTAL?

READ of size 8 at 0x6180002dee00 thread T20
SCARINESS: 51 (8-byte-read-heap-use-after-free)
#0 0x1139f9d9e in ContextGL cc/resources/layer_tree_resource_provider.cc:371:46
#1 0x1139f9d9e in cc::LayerTreeResourceProvider::PrepareSendToParent(std::__1::vector<unsigned int, std::__1::allocator<unsigned int> > const&, std::__1::vector<viz::TransferableResource, std::__1::allocator<viz::TransferableResource> >*) cc/resources/layer_tree_resource_provider.cc:138
#2 0x11ba8b7b6 in blink::VideoFrameSubmitter::SubmitFrame(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>) third_party/blink/renderer/platform/graphics/video_frame_submitter.cc:141:23
#3 0x11ba8fa8c in void base::internal::FunctorTraits<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), void>::Invoke<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >(void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>&&, viz::BeginFrameAck&&, scoped_refptr<media::VideoFrame>&&) base/bind_internal.h:447:12
#4 0x11ba8fa8c in void base::internal::InvokeHelper<true, void>::MakeItSo<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >(void (blink::VideoFrameSubmitter::*&&)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>&&, viz::BeginFrameAck&&, scoped_refptr<media::VideoFrame>&&) base/bind_internal.h:567
#5 0x11ba8fa8c in void base::internal::Invoker<base::internal::BindState<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >, void ()>::RunImpl<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), std::__1::tuple<base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >, 0ul, 1ul, 2ul>(void (blink::VideoFrameSubmitter::*&&)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), std::__1::tuple<base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul>) base/bind_internal.h:621
#6 0x11ba8fa8c in base::internal::Invoker<base::internal::BindState<void (blink::VideoFrameSubmitter::*)(viz::BeginFrameAck, scoped_refptr<media::VideoFrame>), base::WeakPtr<blink::VideoFrameSubmitter>, viz::BeginFrameAck, scoped_refptr<media::VideoFrame> >, void ()>::RunOnce(base::internal::BindStateBase*) base/bind_internal.h:589
    #7 0x1100f39b1 in Run base/callback.h:96:12
    #8 0x1100f39b1 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
    #9 0x11017118a in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25
    #10 0x1101726a2 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5
    #11 0x1101726a2 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373
    #12 0x1101765f1 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
    #13 0x110200718 in base::RunLoop::Run() base/run_loop.cc:130:14
    #14 0x1102b3371 in base::Thread::ThreadMain() base/threading/thread.cc:337:3
    #15 0x11038fab0 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13
    #16 0x7fff9c07f99c in _pthread_body
    #17 0x7fff9c07f919 in _pthread_start
    #18 0x7fff9c07d350 in thread_start
0x6180002dee00 is located 0 bytes inside of 480-byte region [0x6180002dee00,0x6180002defe0)
freed by thread T20 here:
#0 0x104354ac2 in __sanitizer_finish_switch_fiber
#1 0x120ae7695 in Release base/memory/scoped_refptr.h:280:8
#2 0x120ae7695 in ~scoped_refptr base/memory/scoped_refptr.h:208
#3 0x120ae7695 in ~scoped_refptr base/memory/scoped_refptr.h:201
#4 0x120ae7695 in operator= base/memory/scoped_refptr.h:223
#5 0x120ae7695 in content::GpuVideoAcceleratorFactoriesImpl::ReleaseContextProvider() content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc:394
#6 0x120aea4f1 in CheckContextLost content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc:124:7
#7 0x120aea4f1 in content::GpuVideoAcceleratorFactoriesImpl::ContextGL() content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc:332
#8 0x10960c358 in media::GpuMemoryBufferVideoFramePool::PoolImpl::DeleteFrameResources(media::GpuVideoAcceleratorFactories*, media::GpuMemoryBufferVideoFramePool::PoolImpl::FrameResources*) media/video/gpu_memory_buffer_video_frame_pool.cc:1033:54
#9 0x10960adf0 in media::GpuMemoryBufferVideoFramePool::PoolImpl::MailboxHoldersReleased(media::GpuMemoryBufferVideoFramePool::PoolImpl::FrameResources*, gpu::SyncToken const&) media/video/gpu_memory_buffer_video_frame_pool.cc:1058:5
#10 0x1093c5c40 in Run base/callback.h:96:12
#11 0x1093c5c40 in media::VideoFrame::~VideoFrame() media/base/video_frame.cc:1013
#12 0x1093c600c in ~VideoFrame media/base/video_frame.cc:1004:27
#13 0x1093c600c in media::VideoFrame::~VideoFrame() media/base/video_frame.cc:1004
#14 0x11a99b3b4 in DeleteInternal<media::VideoFrame> base/memory/ref_counted.h:398:5
#15 0x11a99b3b4 in Destruct base/memory/ref_counted.h:351
#16 0x11a99b3b4 in Release base/memory/ref_counted.h:387
#17 0x11a99b3b4 in Release base/memory/scoped_refptr.h:280
#18 0x11a99b3b4 in ~scoped_refptr base/memory/scoped_refptr.h:208
#19 0x11a99b3b4 in ~scoped_refptr base/memory/scoped_refptr.h:201
#20 0x11a99b3b4 in media::VideoFrameCompositor::~VideoFrameCompositor() media/blink/video_frame_compositor.cc:66
#21 0x11a99b5ac in ~VideoFrameCompositor media/blink/video_frame_compositor.cc:60:47
#22 0x11a99b5ac in media::VideoFrameCompositor::~VideoFrameCompositor() media/blink/video_frame_compositor.cc:60
    #23 0x1100f39b1 in Run base/callback.h:96:12
    #24 0x1100f39b1 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101
    #25 0x11017118a in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25
    #26 0x1101726a2 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5
    #27 0x1101726a2 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373
    #28 0x1101765f1 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31
    #29 0x110200718 in base::RunLoop::Run() base/run_loop.cc:130:14
    #30 0x1102b3371 in base::Thread::ThreadMain() base/threading/thread.cc:337:3
    #31 0x11038fab0 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13
    #32 0x7fff9c07f99c in _pthread_body
    #33 0x7fff9c07f919 in _pthread_start
    #34 0x7fff9c07d350 in thread_start


->media folks

This code should keep a reference on the context provider.

Specifically, we should stop vending raw pointers here then:

https://cs.chromium.org/chromium/src/content/renderer/media/gpu/gpu_video_accelerator_factories_impl.cc?l=364

All subsequent call sites will need updating as well then.

If I understand correctly, we have a fix. 
https://chromium-review.googlesource.com/c/chromium/src/+/1050801

We no longer should end up in this state because we now monitor context loss. 
liberato@, correct me if I'm wrong.

ClusterFuzz testcase 5861053259579392 appears to be flaky, updating reproducibility label.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot