Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

This looks like fallout from the MaybeOwned UnownedPtr change. The bitmap backing a rendered page in Chrome is getting destroyed after the backing ImageData has been destroyed.

tsepez@ wasn't sure if there were other MaybeOwned issues that had come up since it was last enabled, so passing this over to you to triage.

Dan - given the scariness of 
https://cs.chromium.org/chromium/src/pdf/pdfium/pdfium_engine.cc?rcl=86417fbacf48049927bf602227c297afbb2465f2&l=4167, I've put in a check at
bitmap creation time.  Diagnostic CL at 
https://pdfium-review.googlesource.com/c/pdfium/+/32055

The following revision refers to this bug:
  https://pdfium.googlesource.com/pdfium/+/e7f4d334eff7d396ec0043a97f751483f8cc9e75

commit e7f4d334eff7d396ec0043a97f751483f8cc9e75
Author: Tom Sepez <tsepez@chromium.org>
Date: Thu May 03 20:27:05 2018

Prove that the memory was good at FPDFBitmap_CreateEx() create time.

Diagnostic for the associated bug, not a bugfix. Helps rule out one
possible scenario.

Bug:  chromium:838886 
Change-Id: Ia56fda779407daf8e52a8b754800154fd7491ae7
Reviewed-on: https://pdfium-review.googlesource.com/32055
Reviewed-by: dsinclair <dsinclair@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>

[modify] https://crrev.com/e7f4d334eff7d396ec0043a97f751483f8cc9e75/fpdfsdk/fpdf_view.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5cee59c3852ed3c5e078ae0c23fce23a77983bcb

commit 5cee59c3852ed3c5e078ae0c23fce23a77983bcb
Author: pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Date: Fri May 04 01:01:19 2018

Roll src/third_party/pdfium/ 525147a1f..ad1788557 (5 commits)

https://pdfium.googlesource.com/pdfium.git/+log/525147a1f6d6..ad178855775d

$ git log 525147a1f..ad1788557 --date=short --no-merges --format='%ad %ae %s'
2018-05-03 rharrison Invalidate GIF input buffer when moving file cursor backwards
2018-05-03 tsepez Prove that the memory was good at FPDFBitmap_CreateEx() create time.
2018-05-03 hnakashima Use pointers instead of refs in CXFA_TextLayout params.
2018-05-03 dsinclair [xfa] Verify we can get a font manager before setting up XFA
2018-05-03 dsinclair [xfa] Verify field count before accessing

Created with:
  roll-dep src/third_party/pdfium
BUG= chromium:839348 , chromium:839361 , chromium:838886 , chromium:835693 , chromium:837585 


The AutoRoll server is located here: https://pdfium-roll.skia.org

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+/master/autoroll/README.md

If the roll is causing failures, please contact the current sheriff, who should
be CC'd on the roll, and stop the roller if necessary.


TBR=dsinclair@chromium.org

Change-Id: I06ec60f0a34b13f864be053ffe512402c4c8ad7a
Reviewed-on: https://chromium-review.googlesource.com/1043278
Reviewed-by: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Commit-Queue: pdfium-chromium-autoroll <pdfium-chromium-autoroll@skia-buildbots.google.com.iam.gserviceaccount.com>
Cr-Commit-Position: refs/heads/master@{#555941}
[modify] https://crrev.com/5cee59c3852ed3c5e078ae0c23fce23a77983bcb/DEPS

Ok, new assert didn't trip, so we can rule out the scary pdfium_engine.cc indexing.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/96ccf9f146812d5076c6d1ac4574eb2fade4a882

commit 96ccf9f146812d5076c6d1ac4574eb2fade4a882
Author: Tom Sepez <tsepez@chromium.org>
Date: Thu May 10 23:46:39 2018

Retain pp::ImageData while there are pending paints against it.

The ImageData might get destroyed while the paints are still
pending. Typically, the paints are then cancelled thereafter so
no harm comes from the dangling references, but this patch avoids
creating them in the first place.

The remaining changes are consequences of ProgressivePaint
becoming non-POD, and converting to protected members. Also
use scoped FPDF classes while we're at it.

Bug:  838886 
Change-Id: Ic933350ac9e981da58f1f841968dc89fb8518974
Reviewed-on: https://chromium-review.googlesource.com/1054502
Reviewed-by: Lei Zhang <thestig@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557724}
[modify] https://crrev.com/96ccf9f146812d5076c6d1ac4574eb2fade4a882/pdf/BUILD.gn
[modify] https://crrev.com/96ccf9f146812d5076c6d1ac4574eb2fade4a882/pdf/pdfium/pdfium_engine.cc
[modify] https://crrev.com/96ccf9f146812d5076c6d1ac4574eb2fade4a882/pdf/pdfium/pdfium_engine.h

ClusterFuzz has detected this issue as fixed in range 557631:558316.

Detailed report: https://clusterfuzz.com/testcase?key=6008186457554944

Fuzzer: ifratric_acrojs
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x12460ddb9180
Crash State:
  CFX_DIBitmap::~CFX_DIBitmap
  CFX_DIBitmap::`scalar deleting destructor'
  chrome_pdf::PDFiumEngine::CancelPaints
  
Sanitizer: address (ASAN)

Recommended Security Severity: Low

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=533127:533139
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=557631:558316

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6008186457554944

Additional requirements: Requires Gestures

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6008186457554944 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot