Suspected CLs	The result is a list of CLs that change the crashed files.

Author: schenney
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a75de675cbb8f9f594fabc68236a4547975ad7fe
Time: Mon Mar 14 14:34:18 2016
Lines 333, 348-354 of file BackgroundImageGeometry.cpp which potentially caused crash are changed in this cl (frame #2, "blink::BackgroundImageGeometry::calculate").

File BoxPainter.cpp is changed in this cl (and is part of stack frame #3, "blink::BoxPainter::paintFillLayer"; frame #4, "blink::BoxPainter::paintFillLayers"; frame #5, "blink::BoxPainter::paintMaskImages"; frame #6, "blink::BoxPainter::paintMask")
Minimum distance from crash line to modified line: 0. (file: BackgroundImageGeometry.cpp, crashed on: 333, modified: 333).

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Paint
======================================

schenney@: Could you please take a look at this.

Thank you!

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5837916433022976

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::BackgroundImageGeometry::calculate
  blink::BoxPainter::paintFillLayer
  blink::InlineFlowBoxPainter::paintFillLayer
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703

Minimized Testcase (0.28 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94hUrsJoRm65pf45A6z4OXC3PeqHKgDa_Ar9HJ3bsQ7meJtTUvGTBnzhjA7uiWouB0irsRA_eXLC-gOfLAjvYwjlFIQNOsno4NmrC2QGe2ZOpvFr2RZfsBKnYeRgA9waxRLZhiKLRaqD2CSG0ES0o3YHiraoA
<a>spec reference<style>
*:nth-child(odd) { background-spacing: 91.0253849174cm; background-repeat: repeat space;  }<style>
@keyframes cfpulse1 { 0% { opacity: 0.2027;  } 
 100% { opacity: 0.5281;2px);  } }
* { animation-name: cfpulse92; background: url(#tCF2) center/102% 4% repeat-x;


Filer: manoranjanr

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d146f1d1b21205841f8982b4fafc87b02b07aa29

commit d146f1d1b21205841f8982b4fafc87b02b07aa29
Author: schenney <schenney@chromium.org>
Date: Fri Mar 18 20:03:13 2016

Fix the check for divide-by-zero in background image tiling

A recent patch changed the width used to find the amount of space
when background-repeat is set to space, but did not update the
corresponding zero check. This patch fixes it and adds a test
for zero sized tiles in background painting.

R=leviw@chromium.org
BUG= 595141 ,  594915 

Review URL: https://codereview.chromium.org/1812893002

Cr-Commit-Position: refs/heads/master@{#382058}

[add] https://crrev.com/d146f1d1b21205841f8982b4fafc87b02b07aa29/third_party/WebKit/LayoutTests/fast/backgrounds/background-repeat-space-zero-tile-size-expected.html
[add] https://crrev.com/d146f1d1b21205841f8982b4fafc87b02b07aa29/third_party/WebKit/LayoutTests/fast/backgrounds/background-repeat-space-zero-tile-size.html
[modify] https://crrev.com/d146f1d1b21205841f8982b4fafc87b02b07aa29/third_party/WebKit/Source/core/paint/BackgroundImageGeometry.cpp

ClusterFuzz has detected this issue as fixed in range 382014:382135.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6002048927006720

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::BackgroundImageGeometry::calculate
  blink::BoxPainter::paintFillLayer
  blink::BoxPainter::paintFillLayers
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=380964:381060
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=382014:382135

Minimized Testcase (0.19 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94ZeMXw0OF-GP55EV-D2g9H00ZfP9eKFajmUpgJSqLoXxWSy-ga8Lq27vVRhThpvBU1vnImapQ7FyNCVwgJxhj2nMz1QlsjjPVDkMie4mvoK0VL6t_mj7sdiMyoLJ_yV_JQWQm3smd0OMnoPV_V1BuOKco9Hw
<style>
   img {
    -webkit-mask: url(resources/color-profile-mask-image.svg) top left;
    -webkit-mask-size: 33% 33%;
    -webkit-mask-repeat: space;
  </style>
     <img height="1" width="600"/>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 382014:382135.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5837916433022976

Fuzzer: inferno_twister_custom_bundle
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::BackgroundImageGeometry::calculate
  blink::BoxPainter::paintFillLayer
  blink::InlineFlowBoxPainter::paintFillLayer
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=209699:209703
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=382014:382135

Minimized Testcase (0.28 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94hUrsJoRm65pf45A6z4OXC3PeqHKgDa_Ar9HJ3bsQ7meJtTUvGTBnzhjA7uiWouB0irsRA_eXLC-gOfLAjvYwjlFIQNOsno4NmrC2QGe2ZOpvFr2RZfsBKnYeRgA9waxRLZhiKLRaqD2CSG0ES0o3YHiraoA
<a>spec reference<style>
*:nth-child(odd) { background-spacing: 91.0253849174cm; background-repeat: repeat space;  }<style>
@keyframes cfpulse1 { 0% { opacity: 0.2027;  } 
 100% { opacity: 0.5281;2px);  } }
* { animation-name: cfpulse92; background: url(#tCF2) center/102% 4% repeat-x;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot