Using the per-revision bisect providing the bisect results,
Good build:54.0.2820.0(Revision: 409955).
Bad build: 54.0.2822.0(Revision: 410267).

You are probably looking for a change made after 410207 (known good), but no later than 410208 (first known bad).

CHANGELOG URL:
https://chromium.googlesource.com/chromium/src/+log/821cfdff44025ed7a82d913b21539b1fa8480df9..840adcf880f0246881f171ede42a3f0930743546

From the CL above, assigning the issue to the concern owner 

@mustaq- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

This seems completely unrelated---my CL refactored Blink UseCounting only.

I will now run a local bisect to pinpoint the correct change.

Bisect shows that Revision=410266 works fine. The problem was clearly introduced later on.

When I hit Ctrl-P on the test page on ToT, Chrome in fact crashes. Below is the console dump, looks like an issue with stylue related assumptions:



ASSERTION FAILED: !std::isnan(static_cast<double>(value))
../../third_party/WebKit/Source/wtf/MathExtras.h(283) : LimitType clampTo(ValueType, LimitType, LimitType) [LimitType = float, ValueType = double]
1   0x7f3e43260c37
2   0x7f3e433f7ec7 blink::CSSPrimitiveValue::clampToCSSLengthRange(double)
3   0x7f3e43321a96
4   0x7f3e432d27f3
5   0x7f3e43310df5 blink::InvalidatableInterpolation::applyStack(WTF::Vector<WTF::RefPtr<blink::Interpolation>, 1ul, WTF::PartitionAllocator> const&, blink::InterpolationEnvironment&)
6   0x7f3e43585762
7   0x7f3e43580d9e blink::StyleResolver::applyAnimatedProperties(blink::StyleResolverState&, blink::Element const*)
8   0x7f3e4357f948 blink::StyleResolver::styleForElement(blink::Element*, blink::ComputedStyle const*, blink::StyleSharingBehavior, blink::RuleMatchingBehavior)
9   0x7f3e442fabd2 blink::SVGElement::customStyleForLayoutObject()
10  0x7f3e436683ef blink::Element::styleForLayoutObject()
11  0x7f3e4366934a blink::Element::recalcOwnStyle(blink::StyleRecalcChange)
12  0x7f3e43668d18 blink::Element::recalcStyle(blink::StyleRecalcChange, blink::Text*)
13  0x7f3e435bccae blink::ContainerNode::recalcDescendantStyles(blink::StyleRecalcChange)
14  0x7f3e43668e50 blink::Element::recalcStyle(blink::StyleRecalcChange, blink::Text*)
15  0x7f3e435bccae blink::ContainerNode::recalcDescendantStyles(blink::StyleRecalcChange)
16  0x7f3e43668e50 blink::Element::recalcStyle(blink::StyleRecalcChange, blink::Text*)
17  0x7f3e435f61a2 blink::Document::updateStyle()
18  0x7f3e435f23d3 blink::Document::updateStyleAndLayoutTree()
19  0x7f3e439fa28a blink::FrameView::performPreLayoutTasks()
20  0x7f3e439f82f8 blink::FrameView::layout()
21  0x7f3e43a04c34 blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal()
22  0x7f3e43a0331e blink::FrameView::updateStyleAndLayoutIfNeededRecursive()
23  0x7f3e43a02333 blink::FrameView::updateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState)
24  0x7f3e43a02b12 blink::FrameView::updateAllLifecyclePhasesExceptPaint()
25  0x7f3e4439df73 blink::SVGImage::drawInternal(SkCanvas*, SkPaint const&, blink::FloatRect const&, blink::FloatRect const&, blink::RespectImageOrientationEnum, blink::Image::ImageClampingMode, blink::KURL const&)
26  0x7f3e4439db10 blink::SVGImage::drawForContainer(SkCanvas*, SkPaint const&, blink::FloatSize, float, blink::FloatRect const&, blink::FloatRect const&, blink::KURL const&)
27  0x7f3e443a2b07
28  0x7f3e4d7ac87c blink::GraphicsContext::drawImage(blink::Image*, blink::FloatRect const&, blink::FloatRect const*, SkXfermode::Mode, blink::RespectImageOrientationEnum)
29  0x7f3e4d7aca8d blink::GraphicsContext::drawImageRRect(blink::Image*, blink::FloatRoundedRect const&, blink::FloatRect const&, SkXfermode::Mode, blink::RespectImageOrientationEnum)
30  0x7f3e441f33b2
31  0x7f3e441f1071
Received signal 4 ILL_ILLOPN 7f3e43260c37
#0 0x7f3e5bc8844e base::debug::StackTrace::StackTrace()
#1 0x7f3e5bc87f8f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f3e5c0c4330 <unknown>
#3 0x7f3e43260c37 clampTo<>()
#4 0x7f3e433f7ec7 blink::CSSPrimitiveValue::clampToCSSLengthRange()
#5 0x7f3e43321a96 blink::LengthInterpolationFunctions::createLength()
#6 0x7f3e432d27f3 blink::CSSLengthInterpolationType::apply()
#7 0x7f3e43310df5 blink::InvalidatableInterpolation::applyStack()
#8 0x7f3e43585762 blink::StyleResolver::applyAnimatedProperties<>()
#9 0x7f3e43580d9e blink::StyleResolver::applyAnimatedProperties()
#10 0x7f3e4357f948 blink::StyleResolver::styleForElement()
#11 0x7f3e442fabd2 blink::SVGElement::customStyleForLayoutObject()
#12 0x7f3e436683ef blink::Element::styleForLayoutObject()
#13 0x7f3e4366934a blink::Element::recalcOwnStyle()
#14 0x7f3e43668d18 blink::Element::recalcStyle()
#15 0x7f3e435bccae blink::ContainerNode::recalcDescendantStyles()
#16 0x7f3e43668e50 blink::Element::recalcStyle()
#17 0x7f3e435bccae blink::ContainerNode::recalcDescendantStyles()
#18 0x7f3e43668e50 blink::Element::recalcStyle()
#19 0x7f3e435f61a2 blink::Document::updateStyle()
#20 0x7f3e435f23d3 blink::Document::updateStyleAndLayoutTree()
#21 0x7f3e439fa28a blink::FrameView::performPreLayoutTasks()
#22 0x7f3e439f82f8 blink::FrameView::layout()
#23 0x7f3e43a04c34 blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal()
#24 0x7f3e43a0331e blink::FrameView::updateStyleAndLayoutIfNeededRecursive()
#25 0x7f3e43a02333 blink::FrameView::updateLifecyclePhasesInternal()
#26 0x7f3e43a02b12 blink::FrameView::updateAllLifecyclePhasesExceptPaint()
#27 0x7f3e4439df73 blink::SVGImage::drawInternal()
#28 0x7f3e4439db10 blink::SVGImage::drawForContainer()
#29 0x7f3e443a2b07 blink::SVGImageForContainer::draw()
#30 0x7f3e4d7ac87c blink::GraphicsContext::drawImage()
#31 0x7f3e4d7aca8d blink::GraphicsContext::drawImageRRect()
#32 0x7f3e441f33b2 blink::(anonymous namespace)::paintFastBottomLayer()
#33 0x7f3e441f1071 blink::BoxPainter::paintFillLayer()
#34 0x7f3e441f0dea blink::BoxPainter::paintFillLayers()
#35 0x7f3e441f096c blink::BoxPainter::paintBackground()
#36 0x7f3e441efe71 blink::BoxPainter::paintBoxDecorationBackgroundWithRect()
#37 0x7f3e441ef9aa blink::BoxPainter::paintBoxDecorationBackground()
#38 0x7f3e43ef8925 blink::LayoutBox::paintBoxDecorationBackground()
#39 0x7f3e441dde3d blink::BlockPainter::paintObject()
#40 0x7f3e43eb32a5 blink::LayoutBlock::paintObject()
#41 0x7f3e441dd4cc blink::BlockPainter::paint()
#42 0x7f3e43eb3225 blink::LayoutBlock::paint()
#43 0x7f3e44224689 blink::ObjectPainter::paintAllPhasesAtomically()
#44 0x7f3e441ddd55 blink::BlockPainter::paintInlineBox()
#45 0x7f3e4405ab5c blink::InlineBox::paint()
#46 0x7f3e44209910 blink::InlineFlowBoxPainter::paint()
#47 0x7f3e4406105f blink::InlineFlowBox::paint()
#48 0x7f3e4426cda4 blink::RootInlineBoxPainter::paint()
#49 0x7f3e44078d1f blink::RootInlineBox::paint()
#50 0x7f3e44214765 blink::LineBoxListPainter::paint()
#51 0x7f3e441dcf4a blink::BlockFlowPainter::paintContents()
#52 0x7f3e441de461 blink::BlockPainter::paintObject()
#53 0x7f3e43eb32a5 blink::LayoutBlock::paintObject()
#54 0x7f3e441dd566 blink::BlockPainter::paint()
#55 0x7f3e43eb3225 blink::LayoutBlock::paint()
#56 0x7f3e441ddafa blink::BlockPainter::paintChild()
#57 0x7f3e441dda4b blink::BlockPainter::paintChildren()
#58 0x7f3e43eb3265 blink::LayoutBlock::paintChildren()
#59 0x7f3e441de6e1 blink::BlockPainter::paintContents()
#60 0x7f3e441de4c1 blink::BlockPainter::paintObject()
#61 0x7f3e43eb32a5 blink::LayoutBlock::paintObject()
  r8: 00007f3e3cf45a40  r9: 00007f3e43d7e37c r10: 00007f3e49fbcbe0 r11: 0000000000000000
 r12: 00007f3e5cb0c50c r13: 00007ffd116c9fd0 r14: 0000000000000000 r15: 52685a3d6690df00
  di: 0000000000000000  si: 00000000efcdab90  bp: 00007ffd116b74d0  bx: 52685a3d6690df00
  dx: 0000000000000000  ax: 52685a3d6690df00  cx: 52685a3d6690df00  sp: 00007ffd116b74c0
  ip: 00007f3e43260c37 efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000000
 trp: 0000000000000006 msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]
[21249:21249:0926/114724:WARNING:url_request_context_getter.cc(43)] URLRequestContextGetter leaking due to no owning thread.

The bug didn't repro while using the bisect script:
 python tools/bisect-builds.py -a linux64 -g 410266 -b 420887 --use-local-cache -- --no-first-run --user-data-dir=/tmp

The crash dump in #3 above points to a bug is CSS length interpolation. Assigning to alancutter@ who recently changed a related the code. alancutter@, could you please look into it? Or find someone who knows this code?

Any chance the NaN causing the crash is somehow related to using approximation when comparing length (crrev.com/2366823003)?

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1ad339d4e001d04db7f63a1d0daa3cb17b5bac64

commit 1ad339d4e001d04db7f63a1d0daa3cb17b5bac64
Author: alancutter <alancutter@chromium.org>
Date: Tue Sep 27 07:34:26 2016

Avoid SVG viewport bug for CSS length animations that don't use viewport units

This change optimises LengthInterpolationFunctions::createLength() to skip
processing units whose corresponding values are zero. This avoids the
nanification of Length for the majority of CSS length animations that don't
use viewport units in SVG images.

See  crbug.com/650147  for further details on nan viewport units in SVG images.

BUG= 650147 , 650216 

Review-Url: https://codereview.chromium.org/2370783003
Cr-Commit-Position: refs/heads/master@{#421137}

[add] https://crrev.com/1ad339d4e001d04db7f63a1d0daa3cb17b5bac64/third_party/WebKit/LayoutTests/svg/animations/img-tag-css-length-animation-crash.html
[modify] https://crrev.com/1ad339d4e001d04db7f63a1d0daa3cb17b5bac64/third_party/WebKit/Source/core/animation/LengthInterpolationFunctions.cpp

Manually build beta 54 branch point 1ae106dbab4bddd85132d5b75c670794311f4c57, was not able to repro crash.
Able to repro crash in dev 55, bug regressed in M55.
Confirmed this is fixed on ToT after https://codereview.chromium.org/2370783003 landed.

Tested this issue on Windows-10 and Mac OS 10.12 using chrome latest Dev #55.0.2880.0 and Ubuntu 14.04 using chrome Dev #55.0.2879.0 by following steps mentioned in the original comment. Still observing a blank preview page while hitting Ctrl+P on chrome://local-state.

Deleted: 650216.mp4 2.7 MB

	650216.mp4 2.7 MB View Download

I'm unable to repro using Chrome 55.0.2873.0 dev on Ubuntu.

I suspect the !isnan assertion failure above was co-incidentally triggered by this page and is unrelated to the actual bug.

Passing on to print preview as I'm unable to repro this locally.

Deleted: Screenshot from 2016-10-05 11:14:03.png 149 KB

	Screenshot from 2016-10-05 11:14:03.png 149 KB View Download

I cannot reproduce this with official build 55.0.2873.0 on Linux.

I tried Chromium r410267 as well and it worked fine.

Maybe if we can get a consistent repro, we can continue looking at this.

jshanbal@ are you still able to reproduce ? Please test and update in latest - Canary, Beta and Stable.

With response to comment #13, above issue is still reproducible on latest canary version: 55.0.2882.0, Beta version 54.0.2840.51 and not seen on Stable version 53.0.2785.143  

Moving to M55, will wait until we have a consistent repro.

Able to reproduce this issue on Windows 10 and Ununtu 14.04 with chrome beta 55.0.2883.44

Unable to reproduce this issue on mac 10.12.1 with beta 55.0.2883.44

could anyone from dev team will look into this issue.

Just to update, issue is still observed on Canary build 57.0.2926.0 and Dev build 56.0.2924.3. Issue is tagged with a M55 milestone and M55 is set to be launched to stable soon. Can we have an update on this.

Thanks.!

Just to update the latest behavior of the bug, Issue is still observed on chrome latest Canary M57-57.0.2939.0
Anyone from dev team would let us know, is there any recent update available on this issue?

Thanks!!

This happens if any of the values in the local state are particularly long, which is why it does not reproduce perfectly (every user's local state will be slightly different). If you download the page and remove any excessively long strings, the print preview will show up. This will actually happen for any page with really long strings like this, so I have attached a small test case (bug_650216.html) that reproduces the issue for me consistently on Linux.

A fix for this is the attached CSS file that indicates text should be wrapped when printing. Have also attached a sample html file that has identical content to the test case but will print correctly because it includes the css file (bug_650216_fixed.html).

Also, this looks like the same root problem as  http://crbug.com/607479 .

Deleted: bug_650216.html 7.9 KB

bug_650216.html 7.9 KB View Download

Deleted: bug_650216_fix.html 8.0 KB

bug_650216_fix.html 8.0 KB View Download

Deleted: bug_650216_fix.css 90 bytes

bug_650216_fix.css 90 bytes View Download

No longer reproduces on Windows or Linux as of 60.0.3112.90. Looks like the layout behavior has changed, since the simplified test case above also does not result in a blank preview. Closing this for now as it seems like it is fixed, but can re-open if this is still an issue.