danakj@, could you please help us to find a right owner?

Thank you!

Here's the callstack from the report:

#0 0x0000004b58c1 __interceptor_backtrace
#1 0x7f336dfe30cc base::debug::StackTrace::StackTrace()
#2 0x7f336e143082 logging::LogMessage::~LogMessage()
#3 0x7f3368fcdfba gfx::ScaleToEnclosingRect()
#4 0x7f3369069e58 gfx::ScaleToEnclosingRect()
#5 0x7f336904c9e2 cc::LayerImpl::PopulateScaledSharedQuadState()
#6 0x7f33690b83f2 cc::PictureLayerImpl::AppendQuads()
#7 0x7f33698993d6 cc::LayerTreeHostImpl::CalculateRenderPasses()
#8 0x7f33698a4e8e cc::LayerTreeHostImpl::PrepareToDraw()
#9 0x7f3369a9e174 cc::ProxyImpl::DrawAndSwapInternal()
#10 0x7f3369a9d69d cc::ProxyImpl::ScheduledActionDrawAndSwapIfPossible()
#11 0x7f33695e574b cc::Scheduler::DrawAndSwapIfPossible()

PopularScaledSharedQuadState does

  gfx::Rect scaled_visible_layer_rect =
      gfx::ScaleToEnclosingRect(visible_layer_rect(), scale);

visible_layer_rect.y() * scale in this case does not fit inside an integer.

This is the transform on the layer:

transform: rotatex(-6deg) scale3d(24, 4, 23) rotatex(13deg);

So, the page is really tall, and scaled by 4, which makes its size no longer fit in an integer. What's the right thing to do in this case?

the page is 536,870,912px tall? Correct fix imo is to refuse to render at all.

We already will clip pages that are > an int tall in GraphicsLayer (I think?). In this case the page fits in an int, but there's a scale. Should we do some checking of the scale vs the size when we choose to promote a layer?

Is it easy to just cap the size?

We could divide out the transform scales or something when doing the size capping we do.

There will always be corner cases though. Like if we're animating then suddenly we need to check those too.

Maybe PictureLayerImpl should deal with this by capping the raster scale: https://code.google.com/p/chromium/codesearch#chromium/src/cc/layers/picture_layer_impl.cc&rcl=1461583037&l=1123

ClusterFuzz has detected this issue as fixed in range 392686:392692.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4577094461292544

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  base::IsValueInRangeForNumericType<int>( std::floor(rect.y() * y_scale)) in rect
  gfx::ScaleToEnclosingRect
  gfx::ScaleToEnclosingRect
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=334568:334589
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=392686:392692

Minimized Testcase (0.27 Kb): https://cluster-fuzz.appspot.com/download/AMIfv960e6PBXxyo85BRiyqv3Ux2wckZ1EXGBSKvGJJ5exWBkpQtC1WOAHAx9Rj4VZ1DZe7kVo136iuoxcHPzprqdgAayD7nsCfeNdZz7MIFw5wUtXmPnMEoKyZUccZp8Cv1o5pfD80WFLUw88U6Ish4cFUPDEfEqA?testcase_id=4577094461292544

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot