Findit Result:
===============
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: vmpstr
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/cf1113301b3c251c09ac7f7576b4f98bebf64f25
Time: Wed May 04 21:20:43 2016
Lines 462-488, 494-501, 520-524 of file picture_layer_tiling_set.cc which potentially caused crash are changed in this cl (frame #0, "cc::PictureLayerTilingSet::ComputeSoonBorderRect"; frame #1, "cc::PictureLayerTilingSet::UpdatePriorityRects"; frame #2, "cc::PictureLayerTilingSet::UpdateTilePriorities").

File picture_layer_impl.cc is changed in this cl (and is part of stack frame #3, "cc::PictureLayerImpl::UpdateTiles")
Minimum distance from crash line to modified line: 0. (file: picture_layer_tiling_set.cc, crashed on: 520, modified: 520).

Suspected Project: chromium
Suspected Component: Internals>Compositing>Rasterization

vmpstr@: Could you please take a look at this and help in investigating this further.

Thank you!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a6aa89c844fa8a2769460131b594382e8347da2b

commit a6aa89c844fa8a2769460131b594382e8347da2b
Author: vmpstr <vmpstr@chromium.org>
Date: Mon Aug 15 23:27:31 2016

cc: Introduce a max ideal contents scale constant.

This patch adds a max ideal contents scale constant set to 10000.f.
This prevents overflow/badness issues that result from a contents scale
that is too large.

R=enne
BUG= 633148 , 635511 
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_precise_blink_rel

Review-Url: https://codereview.chromium.org/2252543002
Cr-Commit-Position: refs/heads/master@{#412093}

[modify] https://crrev.com/a6aa89c844fa8a2769460131b594382e8347da2b/cc/layers/picture_layer_impl.cc

ClusterFuzz has detected this issue as fixed in range 411957:412168.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4610206053171200

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  cc::PictureLayerTilingSet::ComputeSoonBorderRect
  cc::PictureLayerTilingSet::UpdatePriorityRects
  cc::PictureLayerTilingSet::UpdateTilePriorities
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=391600:391649
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=411957:412168

Minimized Testcase (9.58 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JBdnlM6ERu7R1MsztjazuZkfaGizTfAEKBsRM_1oP8BUBYni6snI66obgeVfZ5VLigJOveFjLekU1VxR6VVhvFhAXiifAdCWk2VfbKr2nBBD-nvZxXhtAaiIVk_APsw6ihiCIcT_-RdiRZp6qvEc-EtEoiA?testcase_id=4610206053171200

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot