The result is a list of CLs that change the crashed files. 

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/880b80edba57b16cf77dc2437c67f27c45815065
Time: Wed Dec 07 01:27:01 2016
Lines 331-332, 337 of file render_surface_impl.cc which potentially caused crash are changed in this cl (frame #5, "cc::RenderSurfaceImpl::AccumulateContentRectFromContributingRenderSurface").
Minimum distance from crash line to modified line: 0. (file: render_surface_impl.cc, crashed on: 331, modified: 331).

danakj@, could you please take a look?

ClusterFuzz has detected this issue as fixed in range 440242:440280.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6108106171088896

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  cc::MapRectInternal
  cc::FilterOperations::MapRect
  cc::RenderSurfaceImpl::DrawableContentRect
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440242:440280

Minimized Testcase (0.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95gQV8lNYf_W7LoR4P408tMIFwpWJeW-02pkm0c-8_sBeSlqTn-sWGNtiJp0hCbh6R7Phxg6PHNkVWCkLJ_kUo9Ij696QxxGgYung5lRBFO43bIF0dFh7lOV_-tDFoH-Cgl7c2GkUFo8Osi3iAPzHMz1ywkDw?testcase_id=6108106171088896

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6108106171088896 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d52ae8cb7575fab9f7904475299e872e6c013570

commit d52ae8cb7575fab9f7904475299e872e6c013570
Author: jbroman <jbroman@chromium.org>
Date: Thu Dec 22 22:44:25 2016

cc: Prevent float-cast-overflow in MapRectInternal.

This changes from using ints to express the blur spread, to keeping the
arithmetic as floats until producing the result, using ToEnclosingRect
(which uses saturated_cast to convert). This is similar to how the drop
shadow code works.

The CL that enabled -fsanitize=float-cast-overflow has since been reverted:
  https://codereview.chromium.org/2598813002/

But I'd already written this before I realized that.

BUG= 675177 
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Review-Url: https://codereview.chromium.org/2593583005
Cr-Commit-Position: refs/heads/master@{#440530}

[modify] https://crrev.com/d52ae8cb7575fab9f7904475299e872e6c013570/cc/output/filter_operation.cc
[modify] https://crrev.com/d52ae8cb7575fab9f7904475299e872e6c013570/cc/output/filter_operations_unittest.cc