Assigning to the concern owner from find it results --
The result is a list of CLs that change the crashed files. 

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/506506eac78a8106c4e92866a59b8c724ddc8b88
Time: Fri Dec 02 11:50:25 2016
Lines 1622-1632, 2093 of file LayoutBlockFlow.cpp which potentially caused crash are changed in this cl (frame #4, "blink::LayoutBlockFlow::adjustedMarginBeforeForPagination"; frame #5, "blink::LayoutBlockFlow::estimateLogicalTopPosition").
Minimum distance from crash line to modified line: 0. (file: LayoutBlockFlow.cpp, crashed on: 2093, modified: 2093).

@mstensho -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

If you rerun the fuzzer (it's almost 2 weeks old), does it still reproduce? If not, I guess it's a dup of  bug 670902 .

Never mind. This still fails. Attaching test case without designMode.

Deleted: tc.html 292 bytes

tc.html 292 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cf39aa8ec1f314d198a3caa12922c254e49d1e7c

commit cf39aa8ec1f314d198a3caa12922c254e49d1e7c
Author: mstensho <mstensho@opera.com>
Date: Tue Jan 17 07:21:36 2017

Try to avoid working on zero-height column sets, when possible.

We may end up with an empty column set between two column spanners, if there is
zero-height column content "separating" them.

We typically have no business inside a zero-height column set, since
fragmentation is impossible there. Fragmentation requires a positive
fragmentainer block size to ensure content progression. So keep looking for a
column set that has a height, and use that one instead, as long as its flow
thread start offset is the same as the one we were requested to map to a
column set.

BUG= 675100 

Review-Url: https://codereview.chromium.org/2631013002
Cr-Commit-Position: refs/heads/master@{#443998}

[add] https://crrev.com/cf39aa8ec1f314d198a3caa12922c254e49d1e7c/third_party/WebKit/LayoutTests/fast/multicol/span/empty-block-between-spanners.html
[add] https://crrev.com/cf39aa8ec1f314d198a3caa12922c254e49d1e7c/third_party/WebKit/LayoutTests/fast/multicol/span/empty-block-with-bottom-margin-between-spanners.html
[modify] https://crrev.com/cf39aa8ec1f314d198a3caa12922c254e49d1e7c/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp

ClusterFuzz has detected this issue as fixed in range 443991:443998.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4987459042803712

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  blink::LayoutFlowThread::pageRemainingLogicalHeightForOffset
  blink::LayoutBox::pageRemainingLogicalHeightForOffset
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=435881:435933
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=443991:443998

Minimized Testcase (0.35 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94biLD1WaexJ7opW_2mnIg69-NXZDZPx2sJiqDcTdO6krRGOAaKKYzHUbpBU2puNNDEmo7Vo-DI1LMYVYOq_TnytOnzuPLKzJYTylpCPKi8uFI-GHgJVUmMEXe18B_UCG8oZoDgll-haJaAdtSMvyZc0sM66g?testcase_id=4987459042803712
<style>.shadow {
    -webkit-column-span: all;
    }
body {
    -webkit-column-width: 5em;
</style><script>
function fuzz() {
document.designMode = 'on';
  document.execCommand("selectAll");
  document.execCommand("Indent");
  document.execCommand("FormatBlock",false,"article");
}
 setTimeout(fuzz); </script><ul>Link1<li class="shadow"</li>
	</ul>
	 id="divid">


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.