SUSPECTED CHANGELISTS IN CHROMIUM:
====================================
Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.) 

Author: Jamie Madill
Project: chromium-angle
Changelist: https://chromium.googlesource.com/angle/angle.git/+/5db69f573c92886cabca590826ee30e20b21c692
Time: Thu Sep 15 16:47:32 2016
The CL last changed line 55 of file ConstantUnion.cpp, which is stack frame 4. 

Author: Jamie Madill
Project: chromium-angle
Changelist: https://chromium.googlesource.com/angle/angle.git/+/5db69f573c92886cabca590826ee30e20b21c692
Time: Thu Sep 15 16:47:32 2016
The CL last changed line 347 of file ConstantUnion.cpp, which is stack frame 5. 

Author: Jamie Madill
Project: chromium-angle
Changelist: https://chromium.googlesource.com/angle/angle.git/+/5db69f573c92886cabca590826ee30e20b21c692
Time: Thu Sep 15 16:47:32 2016
The CL last changed line 1270 of file IntermNode.cpp, which is stack frame 6.

From the above CL list suspecting the below.
Suspect : https://chromium.googlesource.com/angle/angle.git/+/5db69f573c92886cabca590826ee30e20b21c692
jmadill@ : Could you please take a look into this if its related to your change.

Currently its affecting to latest Beta (55.0.2883.35).

Looking... seeing as this is an ASSERT failure on float overflow in constant folding, I think the security impact of this is minimal.

Olli made the point that we should support inf values in the shader. I don't think this is a good idea, as it doesn't add any value to constant folding, but maybe you could look at it Olli? You should see a minimal repro in the test case added in https://chromium-review.googlesource.com/#/c/407820/. This can trigger an ASSERT in ANGLE.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/f1a2aefcd8709340d9fde572e2e516fcda928961

commit f1a2aefcd8709340d9fde572e2e516fcda928961
Author: Olli Etuaho <oetuaho@nvidia.com>
Date: Fri Nov 25 11:03:56 2016

Test shader built-in corner cases in constant folding tests

IEEE rules for generating zero or infinity are now checked for the
constant folding of several built-in functions except for the cases
where ESSL 3.00.6 explicitly states that the results are undefined.

BUG= chromium:661857 
TEST=angle_unittests

Change-Id: I2ce427229a5583039694d060ea6db29c5bdace97
Reviewed-on: https://chromium-review.googlesource.com/414370
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Olli Etuaho <oetuaho@nvidia.com>

[modify] https://crrev.com/f1a2aefcd8709340d9fde572e2e516fcda928961/src/tests/compiler_tests/ConstantFolding_test.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/efbf5d225196eef3f8d90bd30e7a66b3c4c7b9ec

commit efbf5d225196eef3f8d90bd30e7a66b3c4c7b9ec
Author: jmadill <jmadill@chromium.org>
Date: Mon Nov 28 17:32:50 2016

Roll ANGLE 133a2ec..f1a2aef

https://chromium.googlesource.com/angle/angle.git/+log/133a2ec..f1a2aef

BUG= chromium:660670 , chromium:661857 

TBR=geofflang@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2536733002
Cr-Commit-Position: refs/heads/master@{#434677}

[modify] https://crrev.com/efbf5d225196eef3f8d90bd30e7a66b3c4c7b9ec/DEPS

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/08d4aa9381d625057ada81de5ac7949fa128c9f4

commit 08d4aa9381d625057ada81de5ac7949fa128c9f4
Author: Olli Etuaho <oetuaho@nvidia.com>
Date: Wed Nov 23 16:15:49 2016

Refactor constant folding tests

The constant folding test classes are moved into a separate file in
test_utils. This will enable adding multiple test files that use
constant folding test classes, so that constant folding tests can be
organized better.

TEST=angle_unittests
BUG= chromium:661857 

Change-Id: I00bf25a4b941bdc1364ff5aa9bee2d571e4b0ea0
Reviewed-on: https://chromium-review.googlesource.com/414910
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Olli Etuaho <oetuaho@nvidia.com>

[modify] https://crrev.com/08d4aa9381d625057ada81de5ac7949fa128c9f4/src/tests/compiler_tests/ConstantFolding_test.cpp
[modify] https://crrev.com/08d4aa9381d625057ada81de5ac7949fa128c9f4/src/tests/angle_unittests.gypi
[add] https://crrev.com/08d4aa9381d625057ada81de5ac7949fa128c9f4/src/tests/test_utils/ConstantFoldingTest.cpp
[add] https://crrev.com/08d4aa9381d625057ada81de5ac7949fa128c9f4/src/tests/test_utils/ConstantFoldingTest.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/17a173972b70030cd2e278c6adac8bcbe40ac78b

commit 17a173972b70030cd2e278c6adac8bcbe40ac78b
Author: geofflang <geofflang@chromium.org>
Date: Tue Dec 06 21:40:50 2016

Roll ANGLE ced53ae..729a9c9

https://chromium.googlesource.com/angle/angle.git/+log/ced53ae..729a9c9

BUG=None,chromium:661857,671280

TBR=cwallez@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2555763002
Cr-Commit-Position: refs/heads/master@{#436741}

[modify] https://crrev.com/17a173972b70030cd2e278c6adac8bcbe40ac78b/DEPS

The following revision refers to this bug:
  https://chromium.googlesource.com/angle/angle/+/2d73665d48185022fe7ab8218974e5ef3c9e8f2a

commit 2d73665d48185022fe7ab8218974e5ef3c9e8f2a
Author: Olli Etuaho <oetuaho@nvidia.com>
Date: Wed Nov 30 10:37:49 2016

Handle constant folding arithmetic involving infinity

Constant folding arithmetic operations that involve infinity are now
handled correctly in the cases where the result is infinity or zero.
The implementation mostly relies on C++ to implement IEEE float
arithmetic correctly so that unnecessary overhead is avoided.

Constant folding arithmetic operations that result in overflow now
issue a warning but result in infinity. This is not mandated by the
spec but is a reasonable choice since it is the behavior of the
default IEEE rounding mode.

Constant folding arithmetic operations that result in NaN in IEEE will
generate a warning but the NaN is kept. This is also not mandated by
the spec, but is among the allowed behaviors.

There's no special handling for ESSL 1.00. ESSL 1.00 doesn't really
have the concept of NaN, but since it is not feasible to control
generating NaNs at shader run time either way, it should not be a big
issue if constant folding may generate them as well.

TEST=angle_unittests
BUG= chromium:661857 

Change-Id: I06116c6fdd02f224939d4a651e4e62f2fd4c98a8
Reviewed-on: https://chromium-review.googlesource.com/414911
Reviewed-by: Corentin Wallez <cwallez@chromium.org>
Reviewed-by: Jamie Madill <jmadill@chromium.org>
Commit-Queue: Olli Etuaho <oetuaho@nvidia.com>

[modify] https://crrev.com/2d73665d48185022fe7ab8218974e5ef3c9e8f2a/src/tests/test_utils/ConstantFoldingTest.h
[modify] https://crrev.com/2d73665d48185022fe7ab8218974e5ef3c9e8f2a/src/compiler/translator/IntermNode.cpp
[modify] https://crrev.com/2d73665d48185022fe7ab8218974e5ef3c9e8f2a/src/compiler/translator/ConstantUnion.cpp
[add] https://crrev.com/2d73665d48185022fe7ab8218974e5ef3c9e8f2a/src/tests/compiler_tests/ConstantFoldingOverflow_test.cpp
[modify] https://crrev.com/2d73665d48185022fe7ab8218974e5ef3c9e8f2a/src/tests/compiler_tests/ConstantFolding_test.cpp
[modify] https://crrev.com/2d73665d48185022fe7ab8218974e5ef3c9e8f2a/src/tests/angle_unittests.gypi
[add] https://crrev.com/2d73665d48185022fe7ab8218974e5ef3c9e8f2a/src/tests/compiler_tests/ConstantFoldingNaN_test.cpp
[modify] https://crrev.com/2d73665d48185022fe7ab8218974e5ef3c9e8f2a/src/tests/test_utils/ConstantFoldingTest.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/9038bcb2f30582773c59986e9f6c42e656b7679d

commit 9038bcb2f30582773c59986e9f6c42e656b7679d
Author: geofflang <geofflang@chromium.org>
Date: Thu Dec 08 22:35:38 2016

Roll ANGLE b5e997f..dceacf5

https://chromium.googlesource.com/angle/angle.git/+log/b5e997f..dceacf5

BUG= 668028 , 668223 , chromium:661857 

TBR=jmadill@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2562813002
Cr-Commit-Position: refs/heads/master@{#437368}

[modify] https://crrev.com/9038bcb2f30582773c59986e9f6c42e656b7679d/DEPS

ClusterFuzz has detected this issue as fixed in range 437362:437409.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6030290683428864

Fuzzer: libfuzzer_angle_translator_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  lhs.IsValid() && rhs.IsValid()
  float CheckedMul<float>
  TConstantUnion::mul
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=420312:420423
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_asan_debug&range=437362:437409

Minimized Testcase (0.67 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Q3rL5XLJrxt3hjxpq_QKtVjMV1GD_8cOsKonOC02RLtIf3x5Czs5VqdlreSNRt7GSepH1LEXN0uMc3J9z9sV6LJ3vIGqc4t5CnMSskLtX65YP9gN_lHWU6K5YSrIZgOYNlCHHZ0fTvU89mv6SebbARkE1fg?testcase_id=6030290683428864

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6030290683428864 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Thanks for fixing this Olli!