From findit tool:

Author: flackr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6b83939340b453504f8d5d38ba774d4f07324dd5
Time: Tue Jul 05 22:04:11 2016
Lines 637-663, 675-679 of file LayoutBoxModelObject.cpp which potentially caused crash are changed in this cl (frame #4, "blink::LayoutBoxModelObject::updateStickyPositionConstraints").
Minimum distance from crash line to modified line: 0. (file: LayoutBoxModelObject.cpp, crashed on: 642, modified: 642).

Suspected Project: chromium
Suspected Component: Blink>Layout

Looks like test case makes the HTML element sticky. This attempts to get the containingBlockLogicalWidthForContent of its container, the "LayoutView #document", which has no containing block to measure against.

Patch in review to fix the crash: https://codereview.chromium.org/2130843002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b36f6a3818c30c1d450028cfcd6cf02141642230

commit b36f6a3818c30c1d450028cfcd6cf02141642230
Author: flackr <flackr@chromium.org>
Date: Fri Jul 08 01:29:54 2016

Fix crash with sticky html element.

Making the html element sticky was attempting to resolve the html's container's
padding against it's container logical width to remove it from the sticky
region causing a crash.

BUG= 626156 
TEST=fast/css/sticky/sticky-html-crash.html

Review-Url: https://codereview.chromium.org/2130843002
Cr-Commit-Position: refs/heads/master@{#404301}

[add] https://crrev.com/b36f6a3818c30c1d450028cfcd6cf02141642230/third_party/WebKit/LayoutTests/fast/css/sticky/sticky-html-crash-expected.txt
[add] https://crrev.com/b36f6a3818c30c1d450028cfcd6cf02141642230/third_party/WebKit/LayoutTests/fast/css/sticky/sticky-html-crash.html
[modify] https://crrev.com/b36f6a3818c30c1d450028cfcd6cf02141642230/third_party/WebKit/Source/core/layout/LayoutBoxModelObject.cpp

 Issue 626620  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 404238:404340.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5614353135173632

Fuzzer: inferno_twister
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000030
Crash State:
  blink::LayoutBox::containingBlockLogicalWidthForContent
  blink::LayoutBoxModelObject::updateStickyPositionConstraints
  blink::CompositingInputsUpdater::updateRecursive
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=403806:403830
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_content_shell&range=404238:404340

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv965blgejHWmG5VPH-0Ja7fQLxVSqFT53H8fS_1j4jIGx2dE0WvSmi86wa9SGqP4cnRK8oosafhkIdFqAtmvq5Hfvpw5pZLFI-FdGsbHSQo97q-Wx7O9VYdd2fwI3MuKZ0OHRGvReK3tQ-rIBofAfBPkHFwTbnCkr_PXubP9o5Pt453NECc?testcase_id=5614353135173632


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot