Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/7004d7e19279e2d31f92fb295e06a8b987700f18 (Reland: "[CI] Convert SVG resources to use SVGResource").

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/20d5cc2faf11ba8c76fead8254f4a57537b9f70b

commit 20d5cc2faf11ba8c76fead8254f4a57537b9f70b
Author: Fredrik Söderquist <fs@opera.com>
Date: Mon May 21 18:11:01 2018

Rebuild the SVGResources for <pattern> after changing SVGResource

Since we reassociate the SVGResource synchronously, we need to also make
sure that the associated SVGResources object is updated, else it could
end up pointing to the old <pattern> LayoutObject.

Bug:  845040 
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: I026b46abcd510485ddfe33622cb5f5aa1bab9610
Reviewed-on: https://chromium-review.googlesource.com/1065779
Reviewed-by: Stephen Chenney <schenney@chromium.org>
Commit-Queue: Fredrik Söderquist <fs@opera.com>
Cr-Commit-Position: refs/heads/master@{#560300}
[add] https://crrev.com/20d5cc2faf11ba8c76fead8254f4a57537b9f70b/third_party/WebKit/LayoutTests/svg/custom/pattern-inherit-remove-and-reattach-expected.html
[add] https://crrev.com/20d5cc2faf11ba8c76fead8254f4a57537b9f70b/third_party/WebKit/LayoutTests/svg/custom/pattern-inherit-remove-and-reattach.html
[modify] https://crrev.com/20d5cc2faf11ba8c76fead8254f4a57537b9f70b/third_party/blink/renderer/core/svg/svg_pattern_element.cc

ClusterFuzz has detected this issue as fixed in range 560299:560300.

Detailed report: https://clusterfuzz.com/testcase?key=6699357102145536

Fuzzer: inferno_twister
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x12312d8970c0
Crash State:
  blink::SVGResources::LayoutIfNeeded
  blink::SVGLayoutSupport::LayoutChildren
  blink::LayoutSVGHiddenContainer::UpdateLayout
  
Sanitizer: address (ASAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=559477:559481
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=560299:560300

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6699357102145536

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6699357102145536 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot