From findit tool:

The result is a list of CLs that change the crashed files.

Author: robhogan
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b69173bcab740a91977294f1dc2f024b398cebf5
Time: Wed Aug 03 01:12:34 2016
Lines 1007 of file LayoutTableSection.cpp which potentially caused crash are changed in this cl (frame #1, "content_shell!blink::LayoutTableSection::layoutRows+0x1fc").

File LayoutTable.cpp is changed in this cl (and is part of stack frame #2, "content_shell!blink::LayoutTable::layout+0x582")
Minimum distance from crash line to modified line: 0. (file: LayoutTableSection.cpp, crashed on: 1004, modified: 1004).

Suspected Project: chromium
Suspected Component: Blink>Layout

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5142108291989504

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000024
Crash State:
  blink::LayoutTableSection::layoutRows
  blink::LayoutTable::layout
  blink::LayoutDeprecatedFlexibleBox::layoutHorizontalBox
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=409223:409418

Minimized Testcase (45.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97grEb_vV1-qpzzU8KKjgF6HydO37Flbm44Ddw4kx7-e49Bx6w0ws1YL3kNx8Ql7wXjyTCRsw9bFQuZRGhoVwO3QARrs3D4etkiR_N1VZ5pjyGNrVVkW5lT0Uwp0jH00_tuKSdBSK9geeN1jh7L3BLulPc7Zu_Uj3JkBqtaP9794JdA-nY?testcase_id=5142108291989504

Filer: ranjitkan

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Issue 634540 has been merged into this issue.

Users experienced this crash on the following builds:

Win Canary 54.0.2819.0 -  1.19 CPM, 11 reports, 5 clients (signature blink::LayoutTableSection::layoutRows)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3d5361e0f6ff60c6e79d77b73dff07692ef1848a

commit 3d5361e0f6ff60c6e79d77b73dff07692ef1848a
Author: robhogan <robhogan@gmail.com>
Date: Sat Aug 06 14:36:21 2016

Make sure there's a table header before attempting to account for its offset

Fix an error introduced by https://codereview.chromium.org/2199553002

BUG= 634155 

Review-Url: https://codereview.chromium.org/2214093002
Cr-Commit-Position: refs/heads/master@{#410264}

[add] https://crrev.com/3d5361e0f6ff60c6e79d77b73dff07692ef1848a/third_party/WebKit/LayoutTests/fragmentation/no-repeating-thead-no-crash-expected.txt
[add] https://crrev.com/3d5361e0f6ff60c6e79d77b73dff07692ef1848a/third_party/WebKit/LayoutTests/fragmentation/no-repeating-thead-no-crash.html
[modify] https://crrev.com/3d5361e0f6ff60c6e79d77b73dff07692ef1848a/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp

ClusterFuzz has detected this issue as fixed in range 410263:410265.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5142108291989504

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000024
Crash State:
  blink::LayoutTableSection::layoutRows
  blink::LayoutTable::layout
  blink::LayoutDeprecatedFlexibleBox::layoutHorizontalBox
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=409223:409418
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=410263:410265

Minimized Testcase (45.72 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97grEb_vV1-qpzzU8KKjgF6HydO37Flbm44Ddw4kx7-e49Bx6w0ws1YL3kNx8Ql7wXjyTCRsw9bFQuZRGhoVwO3QARrs3D4etkiR_N1VZ5pjyGNrVVkW5lT0Uwp0jH00_tuKSdBSK9geeN1jh7L3BLulPc7Zu_Uj3JkBqtaP9794JdA-nY?testcase_id=5142108291989504

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/67a748b079a7152ba7d508a3499a14ce5160054c

commit 67a748b079a7152ba7d508a3499a14ce5160054c
Author: Robert Hogan <robhogan@gmail.com>
Date: Sun Sep 25 18:00:47 2016

Make sure there's a table header before attempting to account for its offset

Fix an error introduced by https://codereview.chromium.org/2199553002

BUG= 634155 

Review-Url: https://codereview.chromium.org/2214093002
Cr-Commit-Position: refs/heads/master@{#410264}
(cherry picked from commit 3d5361e0f6ff60c6e79d77b73dff07692ef1848a)

Review URL: https://codereview.chromium.org/2368843002 .

Cr-Commit-Position: refs/branch-heads/2785@{#928}
Cr-Branched-From: 68623971be0cfc492a2cb0427d7f478e7b214c24-refs/heads/master@{#403382}

[add] https://crrev.com/67a748b079a7152ba7d508a3499a14ce5160054c/third_party/WebKit/LayoutTests/fragmentation/no-repeating-thead-no-crash-expected.txt
[add] https://crrev.com/67a748b079a7152ba7d508a3499a14ce5160054c/third_party/WebKit/LayoutTests/fragmentation/no-repeating-thead-no-crash.html
[modify] https://crrev.com/67a748b079a7152ba7d508a3499a14ce5160054c/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp

This bug is reported for M54 but got merged to M53 Stable without Merge Request and Approval.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot