From findit tool:

The result is a list of CLs that change the crashed files.

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/6692bea7c8d9afb6c4f23c6194ecacc3a4bddbe8
Time: Thu Nov 26 00:47:04 2015
Lines 166-173 of file LayoutFlowThread.cpp which potentially caused crash are changed in this cl (frame #1, "blink::LayoutFlowThread::nextLogicalTopForUnbreakableContent").

Files LayoutBlockFlow.cpp, LayoutMultiColumnSet.cpp are changed in this cl (and is part of stack frame #3, "blink::LayoutBlockFlow::adjustLinePositionForPagination")
Minimum distance from crash line to modified line: 0. (file: LayoutFlowThread.cpp, crashed on: 166, modified: 166).

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Reproduced.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bd5569ad477b5137724faa937a8bc894f8335f07

commit bd5569ad477b5137724faa937a8bc894f8335f07
Author: mstensho <mstensho@opera.com>
Date: Thu Aug 11 16:32:29 2016

Need to roll back the multicol machinery state when re-laying out a block child.

If a block child contains a column spanner, and we need to re-lay it out
because the initial logical top estimate turned out to be wrong, we need to
roll back to the first column set that "contains" the block child.

Otherwise, LayoutMultiColumnFlowThread::columnSetAtBlockOffset() may return the
wrong column set.

BUG= 633411 

Review-Url: https://codereview.chromium.org/2231383002
Cr-Commit-Position: refs/heads/master@{#411352}

[add] https://crrev.com/bd5569ad477b5137724faa937a8bc894f8335f07/third_party/WebKit/LayoutTests/fast/multicol/span/padding-before-unbreakable-content-crash-expected.txt
[add] https://crrev.com/bd5569ad477b5137724faa937a8bc894f8335f07/third_party/WebKit/LayoutTests/fast/multicol/span/padding-before-unbreakable-content-crash.html
[modify] https://crrev.com/bd5569ad477b5137724faa937a8bc894f8335f07/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp
[modify] https://crrev.com/bd5569ad477b5137724faa937a8bc894f8335f07/third_party/WebKit/Source/core/layout/LayoutFlowThread.h
[modify] https://crrev.com/bd5569ad477b5137724faa937a8bc894f8335f07/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp
[modify] https://crrev.com/bd5569ad477b5137724faa937a8bc894f8335f07/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.h

ClusterFuzz has detected this issue as fixed in range 411340:411371.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6725427813154816

Fuzzer: marty_html_twiddler
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  flowThreadOffset.mightBeSaturated() || pageLogicalTopForOffset(flowThreadOffset)
  blink::LayoutMultiColumnSet::nextLogicalTopForUnbreakableContent
  blink::LayoutFlowThread::nextLogicalTopForUnbreakableContent
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=361738:361835
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=411340:411371

Minimized Testcase (1.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96yFIkhA1ZDPDdS8x2M9nXAApV7aP44uqOhSTixws7f9uXGE6S1-c1E3beH6CmM3drIZOdn23h02ycjqKouz1ZDzGYXLmxlrX0j5YQLjpKFK-IlnBS3XeLDq5tFeyVoZVSAbScUOZ3M42gXnZGDEyx2XKhFOg?testcase_id=6725427813154816
<!DOCTYPE html>
<style>
.c6 { visibility: inherit; -webkit-column-span: all; }
.c7 { display: run-in; padding-top: 100%; }
.c11 { display: inline-table; vertical-align: super; }
.c11[class$="c11"] { position: inherit; border-style: outset; }
.c15 { display: -webkit-flexbox; float: right; zoom: 0.01;45deg); }
.c15[class~="c15"] { overflow: scroll; -webkit-column-width: 100px;</style>
<script>
var nodes = Array();
var text = Array();
 nodes[9] = document.createElement('abbr'); 
 nodes[9].setAttribute('class', 'c15'); 
 document.documentElement.appendChild(nodes[9]); 
 nodes[25] = document.createElement('p'); 
 nodes[25].setAttribute('class', 'c7'); 
 nodes[9].appendChild(nodes[25]); 
 nodes[76] = document.createElement('hgroup'); 
 nodes[94] = document.createElement('hr'); 
 nodes[94].setAttribute('class', 'c6'); 
 nodes[97] = document.createElement('cite'); 
 nodes[97].setAttribute('class', 'c11'); 
 text[19] = document.createTextNode('mxirmvkewrwysalbevohcpctsneiswwmbkmzgv'); 
 nodes[25].appendChild(nodes[76]); 
 nodes[76].appendChild(nodes[97]); 
 nodes[76].appendChild(nodes[94]); 
 nodes[76].appendChild(text[19]); 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 411340:411371.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6725427813154816

Fuzzer: marty_html_twiddler
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  flowThreadOffset.mightBeSaturated() || pageLogicalTopForOffset(flowThreadOffset)
  blink::LayoutMultiColumnSet::nextLogicalTopForUnbreakableContent
  blink::LayoutFlowThread::nextLogicalTopForUnbreakableContent
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=361738:361835
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=411340:411371

Minimized Testcase (1.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96yFIkhA1ZDPDdS8x2M9nXAApV7aP44uqOhSTixws7f9uXGE6S1-c1E3beH6CmM3drIZOdn23h02ycjqKouz1ZDzGYXLmxlrX0j5YQLjpKFK-IlnBS3XeLDq5tFeyVoZVSAbScUOZ3M42gXnZGDEyx2XKhFOg?testcase_id=6725427813154816
<!DOCTYPE html>
<style>
.c6 { visibility: inherit; -webkit-column-span: all; }
.c7 { display: run-in; padding-top: 100%; }
.c11 { display: inline-table; vertical-align: super; }
.c11[class$="c11"] { position: inherit; border-style: outset; }
.c15 { display: -webkit-flexbox; float: right; zoom: 0.01;45deg); }
.c15[class~="c15"] { overflow: scroll; -webkit-column-width: 100px;</style>
<script>
var nodes = Array();
var text = Array();
 nodes[9] = document.createElement('abbr'); 
 nodes[9].setAttribute('class', 'c15'); 
 document.documentElement.appendChild(nodes[9]); 
 nodes[25] = document.createElement('p'); 
 nodes[25].setAttribute('class', 'c7'); 
 nodes[9].appendChild(nodes[25]); 
 nodes[76] = document.createElement('hgroup'); 
 nodes[94] = document.createElement('hr'); 
 nodes[94].setAttribute('class', 'c6'); 
 nodes[97] = document.createElement('cite'); 
 nodes[97].setAttribute('class', 'c11'); 
 text[19] = document.createTextNode('mxirmvkewrwysalbevohcpctsneiswwmbkmzgv'); 
 nodes[25].appendChild(nodes[76]); 
 nodes[76].appendChild(nodes[97]); 
 nodes[76].appendChild(nodes[94]); 
 nodes[76].appendChild(text[19]); 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

As per comment#7,8 and 9, marking the bug as verified.

Thank you

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot