The result is a list of CLs that change the crashed files. 

Author: rune
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/47f8406eb6b473ba158e591bb916ab4a59d60be5
Time: Fri Dec 02 12:17:18 2016
File HTMLPreloadScanner.cpp is changed in this cl (and is part of stack frame #2, "blink::TokenPreloadScanner::StartTagScanner::StartTagScanner"; frame #3, "void blink::TokenPreloadScanner::scanCommon")
Minimum distance from crash line to modified line: 22. (file: HTMLPreloadScanner.cpp, crashed on: 151, modified: 129).

+ yoav@yoav.ws apparent author of SizesAttributeParser.

There's some funny stuff about double->unsigned->float conversions with effectiveSizeDefaultValue that I don't understand, maybe yoav@ can comment.

Definitely something funny about those conversions, don't remember the unsigned stuff as intentional (and it definitely shouldn't have been implicit if it is :/)

I don't have access to the repro though. Could you sent me the minimized testcase?

ClusterFuzz has detected this issue as fixed in range 440242:440280.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6553331775569920

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::SizesAttributeParser::effectiveSizeDefaultValue
  blink::SizesAttributeParser::length
  blink::TokenPreloadScanner::StartTagScanner::StartTagScanner
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=440242:440280

Minimized Testcase (0.45 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Zr5CaBJAaagJdE2aFfuPL_BI50nm5Erz7CYy75vqiQPfg0NUbwuSR4dmAXWAkSdaEfrKSZqYO8tncVrQJ9bmAeGoEZ5xtkkL0GQzV7wWAfYcT6k42xCUeZJsyi3zHURp0PBUD1X9HZRZX6ci0ULzFNlsUMQ?testcase_id=6553331775569920

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6553331775569920 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Sent the testcase offline.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/12e5afd8b8cca061b9a11fdaccb4bd198cb772b5

commit 12e5afd8b8cca061b9a11fdaccb4bd198cb772b5
Author: yoav <yoav@yoav.ws>
Date: Thu Dec 22 13:41:16 2016

Return sizes' default effective size as float

As pointed out in the issue, the default effective size is converted
from double to unsigned to float for no good reason.
his CL makes sure there's a single explicit (clamped) conversion from
double to float.

BUG= 675204 

Review-Url: https://codereview.chromium.org/2596203002
Cr-Commit-Position: refs/heads/master@{#440404}

[modify] https://crrev.com/12e5afd8b8cca061b9a11fdaccb4bd198cb772b5/third_party/WebKit/Source/core/css/parser/SizesAttributeParser.cpp
[modify] https://crrev.com/12e5afd8b8cca061b9a11fdaccb4bd198cb772b5/third_party/WebKit/Source/core/css/parser/SizesAttributeParser.h
[modify] https://crrev.com/12e5afd8b8cca061b9a11fdaccb4bd198cb772b5/third_party/WebKit/Source/core/css/parser/SizesAttributeParserTest.cpp