Regression information is not available. The result is the blame information.

Author: wangxianzhu@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/846c7c3ad6bb57267ced3c565e0a7fdf5d78d01e
Time: Thu Apr 02 01:36:19 2015
The CL last changed line 90 of file PaintController.cpp, which is stack frame 0.

Author: pdr@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6472f37af2fcfaf94a4a05b751e6cebb92a2e6cd
Time: Wed Sep 02 17:48:50 2015
The CL last changed line 76 of file PaintController.h, which is stack frame 1.

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/3af6f774f26d0153741f84baeb5ddefef0f7cb5d
Time: Fri Mar 11 05:29:32 2016
The CL last changed line 91 of file DrawingRecorder.cpp, which is stack frame 2.

Author: jbroman@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/80609bebfe4c0c68d3b3a8ffb794acef89615610
Time: Wed Jun 03 00:20:37 2015
The CL last changed line 45 of file Optional.h, which is stack frame 3.

Author: wangxianzhu@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/430b9719ae38df77f0cba6a6df77fbf753d1f4f5
Time: Thu Jun 18 01:35:56 2015
The CL last changed line 22 of file LayoutObjectDrawingRecorder.h, which is stack frame 4.

Author: chrishtr@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7a25d907698e89274bebe3cabf8865bff2b63384
Time: Wed Sep 10 16:29:19 2014
The CL last changed line 124 of file BoxPainter.cpp, which is stack frame 5.

Author: chrishtr@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7a25d907698e89274bebe3cabf8865bff2b63384
Time: Wed Sep 10 16:29:19 2014
The CL last changed line 51 of file BoxPainter.cpp, which is stack frame 6.

Suspected Project: chromium
Suspected Component: Blink>Paint
====================================
Above is the only CL from findit and the changes made to file "PaintController.h" from the frame #1 is more related to it. 

pdr@ :Could you please look into this issue if it is related to your change,else please route this issue to an appropriate dev person.

Thanks,

Minimized testcase

Deleted: crash.html 515 bytes

crash.html 515 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6c961fe1112914b9d63d6551e31b96c415dfb83f

commit 6c961fe1112914b9d63d6551e31b96c415dfb83f
Author: pdr <pdr@chromium.org>
Date: Tue Apr 26 03:17:41 2016

Rewrite overhanging float arithmetic to work near numeric limits

This patch fixes a bug where floats near LayoutUnit::max() would
incorrectly get added to two LayoutObjects which would lead to
duplicate display items when the floats were painted by both parents.

Examples sometimes make these easier to review:
  logicalTop = LayoutUnit::max()
  prevLogicalTop = (LayoutUnit::max() - 4)
  prevLowestFloatLogicalBottom = 8

Previous logic:
  if (prevLowestFloatLogicalBottom > logicalTop - prevLogicalTop) { ...

New logic:
  if (logicalTop < prevLowestFloatLogicalBottom + prevLogicalTop) { ...

BUG= 604331 

Review URL: https://codereview.chromium.org/1916693002

Cr-Commit-Position: refs/heads/master@{#389679}

[add] https://crrev.com/6c961fe1112914b9d63d6551e31b96c415dfb83f/third_party/WebKit/LayoutTests/fast/block/float/overhanging-float-overflow-crash-expected.txt
[add] https://crrev.com/6c961fe1112914b9d63d6551e31b96c415dfb83f/third_party/WebKit/LayoutTests/fast/block/float/overhanging-float-overflow-crash.html
[modify] https://crrev.com/6c961fe1112914b9d63d6551e31b96c415dfb83f/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp

This is marked as M50 but I'd like to let this roll through the regular release process.

ClusterFuzz has detected this issue as fixed in range 389675:389686.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6678992886693888

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT_NOT_REACHED
Crash Address: 
Crash State:
  blink::PaintController::processNewItem
  void blink::PaintController::createAndAppend<blink::DrawingDisplayItem, blink::D
  blink::DrawingRecorder::~DrawingRecorder
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=389675:389686

Minimized Testcase (0.99 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94djk5zr3lEHR2hhq6Mct6cbU5ePxqQ0kvrpO4oPjbyqeHu7qAXkQ_UvjNyQODZgbtjXut7NrBZbpaVoKODkJ-92e9SULXvKz3EkQX1wDrq5fKCva23HMGo3mzDGMkxeT5jnK0wTHhOc8W_AXP9OFtUSR4XVA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot