alexclarke@, could you please look into this change (https://chromium.googlesource.com/chromium/src/+/976cb6653f74a4aa4e5867639f291d715893dea4%5E%21/components/scheduler/child/web_task_runner_impl.cc) if possible?

Thank you!

It looks like there's a bug with setInterval and the timer nesting code.  Somehow Timer::augmentRepeatInterval passed a negative delay into setNextFireTime.

Looking at the code I think I can see how that could happen.  If (now - m_nextFireTime) > delta then the computation will be negative.

Probably the simplest thing to do here is to clamp the computation:

setNextFireTime(now, std::max(0.0, m_nextFireTime - now + delta));

That should fix it.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e7273e13e246f8de550a4684026707232ffdf4a4

commit e7273e13e246f8de550a4684026707232ffdf4a4
Author: alexclarke <alexclarke@chromium.org>
Date: Fri May 27 15:49:12 2016

Prevent augmentRepeatInterval from computing a negative delay

Under some circumstances augmentRepeatInterval could compute a negative
delay.  Prevent this by clamping the result.

BUG= 615270 

Review-Url: https://codereview.chromium.org/2020513003
Cr-Commit-Position: refs/heads/master@{#396475}

[modify] https://crrev.com/e7273e13e246f8de550a4684026707232ffdf4a4/third_party/WebKit/Source/platform/Timer.h
[modify] https://crrev.com/e7273e13e246f8de550a4684026707232ffdf4a4/third_party/WebKit/Source/platform/TimerTest.cpp

ClusterFuzz has detected this issue as fixed in range 395881:395897.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6545697595981824

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  CHECK failed: delayMs >= 0.0 in web_task_runner_impl.cc
  scheduler::WebTaskRunnerImpl::postDelayedTask
  blink::TimerBase::setNextFireTime
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=395881:395897

Minimized Testcase (0.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95r7qcBp6JBpWrNFwlhh-E7wOx23-I69i7CqEmOqvZCQCk6fqUH9q5iF7dNyTboRq9Xf6_SyXAs9RxTBYmsbkV2q5wN-V3wVjqX6afOQywyhYHsRzoYI_hCJ-e3UCYaQjhcFQXGrwzZb-frYx8oAsK2vHu6lw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot