I cannot access the minimized test case. Please grant access to it or publish it here in the report.

Yes I can reproduce it, I've reduced the test case a little bit,
and I'm attaching a backtrace too.

How could we ask for a new bisect?
I don't see any grid related patch on that range. Thanks.

@svillar you need to use your @chromium.org account,
or assign the bug to yourself to access the test case.

Deleted: fuzz-94-reduced.html 314 bytes

fuzz-94-reduced.html 314 bytes View Download

Deleted: fuzz-94-backtrace.txt 14.6 KB

fuzz-94-backtrace.txt 14.6 KB View Download

Issue 684457 has been merged into this issue.

I have a patch almost ready. The problem is that when computing the number of auto repeat tracks we don't clamp it by kGridMaxTracks.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/946f89ab4dfffec7f9d13bac423ca5a0df949bb6

commit 946f89ab4dfffec7f9d13bac423ca5a0df949bb6
Author: svillar <svillar@igalia.com>
Date: Fri Jan 27 11:10:48 2017

[css-grid] Clamp the number of auto-repeat tracks

The computation of auto-repeat tracks might issue a result larger than the
total number of tracks limit. We need to clamp the grid also in those cases.

BUG= 681381 

Review-Url: https://codereview.chromium.org/2657863005
Cr-Commit-Position: refs/heads/master@{#446646}

[add] https://crrev.com/946f89ab4dfffec7f9d13bac423ca5a0df949bb6/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-auto-repeat-huge-grid.html
[modify] https://crrev.com/946f89ab4dfffec7f9d13bac423ca5a0df949bb6/third_party/WebKit/Source/core/layout/LayoutGrid.cpp

Closing

ClusterFuzz has detected this issue as fixed in range 446618:446648.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4830889159950336

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  i < size() in Vector.h
  blink::LayoutGrid::GridIterator::nextGridItem
  blink::LayoutGrid::computeEmptyTracksForAutoRepeat
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=443258:443393
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=446618:446648

Minimized Testcase (2.25 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97rZs9y25tsRKqZJr0QKhbWYW7hc10Hal5HrF0OjoSgBlWzQNE1kVeQqhxMnA1eXQRRXgLGQkl9aplwj2YlfH5ALNfa7iKocv25iQbLWwCWZfYRrn-WkMz2ZCOFYrY9losYVCFwSZQu6_BzQHRFLOgn4mJQ5tvHD6Q9MOXu6wWW0O7_s9Z2h-w7Wt2sKDAxPbM4Y3GLztA540KX1tiL2IKwvibc04aB6yaFcxbYlvk9cPBKTuSv1BvBLinMLezR4to-oooTvXULPN7NatAAllKR8sJRNBXJfAtGnKirJ2DCTuo54yyA1C-TC5C6ODgSutPhzfO0B6fbByJtYYoB8iR96HzUKshCHUEj2keGe3s70vMdJw0?testcase_id=4830889159950336

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please merge  your change to M57 branch 2987 ASAP.If merge happens today before 5:00 PM PT, then we can take it for tomorrow's last M57 Dev release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4b3f65698baa64b20f07e341c19751803af8be1a

commit 4b3f65698baa64b20f07e341c19751803af8be1a
Author: Manuel Rego Casasnovas <rego@igalia.com>
Date: Mon Jan 30 20:48:40 2017

[css-grid] Clamp the number of auto-repeat tracks

The computation of auto-repeat tracks might issue a result larger than the
total number of tracks limit. We need to clamp the grid also in those cases.

BUG= 681381 

Review-Url: https://codereview.chromium.org/2657863005
Cr-Commit-Position: refs/heads/master@{#446646}
(cherry picked from commit 946f89ab4dfffec7f9d13bac423ca5a0df949bb6)

Review-Url: https://codereview.chromium.org/2665863002 .
Cr-Commit-Position: refs/branch-heads/2987@{#183}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[add] https://crrev.com/4b3f65698baa64b20f07e341c19751803af8be1a/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-auto-repeat-huge-grid.html
[modify] https://crrev.com/4b3f65698baa64b20f07e341c19751803af8be1a/third_party/WebKit/Source/core/layout/LayoutGrid.cpp

Thanks for the information, as @svillar was not around I took care to merge it.
I hope everything is fine.