From findit tool:

Author: fs
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/c9cbd28cd596618f61dc47b897aee61382004e28
Time: Wed Dec 23 06:23:41 2015
The CL last changed line 69 of file SVGTextFragment.h, which is stack frame 4.

Author: fs
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/c9cbd28cd596618f61dc47b897aee61382004e28
Time: Wed Dec 23 06:23:41 2015
The CL last changed line 231 of file SVGInlineTextBox.cpp, which is stack frame 5.

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Attached is a minimized testcase. We're getting a nan through mapRect due to passing in an infinite value.

Deleted: crash.html 166 bytes

crash.html 166 bytes View Download

I don't think we should fix this, or if we do then we should introduce a saturated arithmetic float value for SVG. Internally SVG uses floats for layout. What's happening is we have an "inf" float which ends up becoming a NaN due to simple math, and then we're hitting an assert. We could get an inf value in any number of codepaths in SVG. I think the assert makes sense to have, but the crash is harmless.

fs and schenney, do you agree?

I certainly agree it's difficult to do something reasonable and useful in these cases. IMHO, what we need to be wary of is this causing actual badness.

ClusterFuzz has detected this issue as fixed in range 420372:420465.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5928882373132288

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !std::isnan(static_cast<double>(value))
  float clampTo<float, double>
  float blink::narrowPrecisionToFloat<double>
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=353013:353031
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=420372:420465

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95OwXAhSxXq7k_dgGn0PztHCB2Gj6GiZn-rKZnd23zEhz3A6r7UmepqdOPKzL3VoC56RKXWeBbGSWUfZpSKcPe2qVPda6LI0IoxWMNxhPdq_JPrEeMf2UIVx-rQeHiEL4vbP7a-VRZysLefxweshwwU8XeOIg?testcase_id=5928882373132288
<style>
   * { writing-mode: vertical-lr; letter-spacing: 170141183460469231731687303715884105727mm;</style>
 debug, __v_14, __v_15;
 print(); </script>
   <svg>
    <text x="0" y="20">
 description = __f_22; 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot