Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

chrishtr@, could you please try to confirm this one.

Looks like clusterfuzz was able to make a reliable repro from  https://crbug.com/855919 . I can reproduce locally and will look into this.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ed6d332ef1985d0c1cc1218cc273cf24e0cf83b

commit 0ed6d332ef1985d0c1cc1218cc273cf24e0cf83b
Author: Philip Rogers <pdr@chromium.org>
Date: Thu Aug 02 21:25:11 2018

Use property tree paint offset when snapping scrolling contents rect

This patch fixes a crash where we were using the wrong paint offset
when snapping the scrolling contents rect. Previously, the scrollable
area's location was used as the paint offset, but this is incorrect
and the property tree builder's context should be used instead.

This patch adds a unit test that mirrors a composited layer mapping
test of the same issue (ScrollLayerSizingSubpixelAccumulation). It
also adds a minimized layout test of the crash.

Bug:  868613 

Cq-Include-Trybots: luci.chromium.try:linux_layout_tests_slimming_paint_v2;master.tryserver.blink:linux_trusty_blink_rel
Change-Id: I2d045ae4d50ccb7a8eae6efbe2817e6e93d462ee
Reviewed-on: https://chromium-review.googlesource.com/1158798
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Commit-Queue: Philip Rogers <pdr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#580327}
[add] https://crrev.com/0ed6d332ef1985d0c1cc1218cc273cf24e0cf83b/third_party/WebKit/LayoutTests/transforms/transformed-scroller-snapping-crash-expected.txt
[add] https://crrev.com/0ed6d332ef1985d0c1cc1218cc273cf24e0cf83b/third_party/WebKit/LayoutTests/transforms/transformed-scroller-snapping-crash.html
[modify] https://crrev.com/0ed6d332ef1985d0c1cc1218cc273cf24e0cf83b/third_party/blink/renderer/core/paint/compositing/composited_layer_mapping.cc
[modify] https://crrev.com/0ed6d332ef1985d0c1cc1218cc273cf24e0cf83b/third_party/blink/renderer/core/paint/paint_layer_scrollable_area.cc
[modify] https://crrev.com/0ed6d332ef1985d0c1cc1218cc273cf24e0cf83b/third_party/blink/renderer/core/paint/paint_layer_scrollable_area.h
[modify] https://crrev.com/0ed6d332ef1985d0c1cc1218cc273cf24e0cf83b/third_party/blink/renderer/core/paint/paint_property_tree_builder.cc
[modify] https://crrev.com/0ed6d332ef1985d0c1cc1218cc273cf24e0cf83b/third_party/blink/renderer/core/paint/paint_property_tree_builder_test.cc

ClusterFuzz has detected this issue as fixed in range 580326:580327.

Detailed report: https://clusterfuzz.com/testcase?key=4710877480353792

Fuzzer: marty_html_twiddler
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  *original_properties_->Scroll() == *object_properties->Scroll(). Property was up
  blink::FindObjectPropertiesNeedingUpdateScope::~FindObjectPropertiesNeedingUpdat
  blink::FragmentPaintPropertyTreeBuilder::UpdateForChildren
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=580326:580327

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4710877480353792

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4710877480353792 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.