Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

[mac triage] From the test case - maybe an SVG thing? Maybe https://codereview.chromium.org/2303703002 (fs)

From the stack - maybe a compositor thing? https://codereview.chromium.org/2307143002 (pdr)

7	[16587:23811:1116/073841:FATAL:safe_math.h(89)] Check failed: IsValid().
8	0   Chromium Framework                  0x000000025a6f7870 _ZN4base5debug10StackTraceC1Ev + 32
9	1   Chromium Framework                  0x000000025a76675f _ZN7logging10LogMessageD2Ev + 415
10	2   Chromium Framework                  0x000000025c23507c _ZNK3gfx4Size7GetAreaEv + 332
11	3   Chromium Framework                  0x000000025f2c6237 _ZN2cc12ResourcePool34TryAcquireResourceForPartialRasterEyRKN3gfx4RectEyPS2_ + 1623
12	4   Chromium Framework                  0x000000025f3d79e4 _ZN2cc11TileManager16CreateRasterTaskERKNS_15PrioritizedTileERKN3gfx10ColorSpaceE + 580
13	5   Chromium Framework                  0x000000025f3d1515 _ZN2cc11TileManager13ScheduleTasksERKNS0_25PrioritizedWorkToScheduleE + 1957
14	6   Chromium Framework                  0x000000025f3cdfce _ZN2cc11TileManager12PrepareTilesERKNS_34GlobalStateThatImpactsTilePriorityE + 2174
15	7   Chromium Framework                  0x000000025f450666 _ZN2cc17LayerTreeHostImpl12PrepareTilesEv + 182
16	8   Chromium Framework                  0x000000025f564f34 _ZN2cc9ProxyImpl27ScheduledActionPrepareTilesEv + 372
17	9   Chromium Framework                  0x000000025f33f7fc _ZN2cc9Scheduler23ProcessScheduledActionsEv + 2316
18	10  Chromium Framework                  0x000000025f33e9fc _ZN2cc9Scheduler24OnBeginImplFrameDeadlineEv + 444
19	11  Chromium Framework                  0x000000025a6f8f5c _ZN4base5debug13TaskAnnotator7RunTaskEPKcPNS_11PendingTaskE + 892
20	12  Chromium Framework                  0x000000025a79b7b5 _ZN4base11MessageLoop7RunTaskEPNS_11PendingTaskE + 1909

ClusterFuzz has detected this issue as fixed in range 433469:433471.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6730225481416704

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IsValid() in safe_math.h
  gfx::Size::GetArea
  cc::ResourcePool::TryAcquireResourceForPartialRaster
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=416466:416526
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=433469:433471

Minimized Testcase (1.12 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94A6oKw_OcfchLWt7dFeyOmRIru5Nw8jCSBb1DO4C6-aKT_54agNHPuP8r_bV-Vo70WQjh73CLb6XcJfwvS-2FCUTRTQibNNR-W6r14EfjJpaOHDdVeTPf95mQZWV3y7fx2h3_-MJTTl62zvQVM_acWE4EW0A?testcase_id=6730225481416704

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

https://codereview.chromium.org/2303703002 isn't in the regression range (even though it was initially landed in 416472, it was reverted in 416498, making it a no-op in the designated range.)
When the HTML-parser has processed that garbled mess, there's neither any <svg> nor any filter in the TC. Based on the failure mode, it could be related to the second <marquee>, which has a very wide scrolling part (because of the INT_MAX border.) That area (33554400x608 or so) would cause GetArea() to overflow. not seeing anything obvious in the changelog.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.