Suspected CLs	Regression information is not available. The result is the blame information.

Author: suzyh
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/84a58b756e4c8c2746cdfc8f326c11f06d0b2865
Time: Thu Apr 14 07:03:32 2016
The CL last changed line 229 of file EffectInput.cpp, which is stack frame 0.

Author: alancutter
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/dd0212bf1ded527ef727fe2f2647186b472c379e
Time: Fri Mar 04 05:11:37 2016
The CL last changed line 165 of file EffectInput.cpp, which is stack frame 1.

Author: alancutter
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/dd0212bf1ded527ef727fe2f2647186b472c379e
Time: Fri Mar 04 05:11:37 2016
The CL last changed line 68 of file ElementAnimation.h, which is stack frame 2.

Suspected Project: chromium
Suspected Component: Blink>Animation

Very very corner case assertion failure, fix incoming.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/965a648d5477aeb0bcb10b08d06d68ad3934d426

commit 965a648d5477aeb0bcb10b08d06d68ad3934d426
Author: alancutter <alancutter@chromium.org>
Date: Wed May 11 04:29:55 2016

Fix assertion failure when exception is thrown during keyframe iteration

The code that exhausts iterables passed into element.animate() did not
take Javascript exceptions into account when asserting on exception
state.

BUG= 610482 

Review-Url: https://codereview.chromium.org/1967463002
Cr-Commit-Position: refs/heads/master@{#392851}

[add] https://crrev.com/965a648d5477aeb0bcb10b08d06d68ad3934d426/third_party/WebKit/LayoutTests/animations/keyframe-iteration-exception-crash.html
[modify] https://crrev.com/965a648d5477aeb0bcb10b08d06d68ad3934d426/third_party/WebKit/Source/core/animation/EffectInput.cpp

ClusterFuzz has detected this issue as fixed in range 392834:392865.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5079616699498496

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !exceptionState.hadException()
  blink::EffectInput::convertArrayForm
  blink::EffectInput::convert
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=392834:392865

Minimized Testcase (0.35 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv969_InZvrRP8dv_VGWOl4xIf9xIZP8mwNJBFCqV420WFs3A6lgXV_veGzJ-tV4oC2-JrAByC72VKkybsKzVAGtiBqMOb07MN3FDEfQ2luRBSCWpMYKi4Cb5jfWs0SSvhUmqbrETVoCq-t6_pW_XA5SHi4uYzQ
<script>
function assertAnimationEffect({keyframes}) {
  var target = document.createElement('target');
  var animation = target.animate(keyframes, {});
}
function createIterable() {
  return {
    [Symbol.iterator]() {
      return {next: () => iterations[i++]};
    }  };
}
    assertAnimationEffect({
      keyframes: createIterable()    });
  </script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot