Able to reproduce in ToT, so this is a valid bug report.

#0  base::debug::(anonymous namespace)::DebugBreak () at ../../base/debug/debugger_posix.cc:232
#1  0x00007f7e92e4a078 in base::debug::BreakDebugger () at ../../base/debug/debugger_posix.cc:251
#2  0x00007f7e92eb7376 in logging::LogMessage::~LogMessage (this=0x7ffcfc8ad458) at ../../base/logging.cc:759
#3  0x00007f7e8a109d52 in blink::GridIterator::GridIterator (this=0x7ffcfc8adae0, grid=..., direction=blink::ForColumns, fixedTrackIndex=1000, varyingTrackIndex=0) at ../../third_party/WebKit/Source/core/layout/Grid.cpp:164
#4  0x00007f7e8a1ef77e in blink::LayoutGrid::computeEmptyTracksForAutoRepeat (this=0x18147d828010, grid=..., direction=blink::ForColumns) at ../../third_party/WebKit/Source/core/layout/LayoutGrid.cpp:586
#5  0x00007f7e8a1ed434 in blink::LayoutGrid::placeItemsOnGrid (this=0x18147d828010, grid=..., sizingOperation=blink::TrackSizing) at ../../third_party/WebKit/Source/core/layout/LayoutGrid.cpp:669
#6  0x00007f7e8a1ec79b in blink::LayoutGrid::layoutBlock (this=0x18147d828010, relayoutChildren=false) at ../../third_party/WebKit/Source/core/layout/LayoutGrid.cpp:218
#7  0x00007f7e8a13a42c in blink::LayoutBlock::layout (this=0x18147d828010) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:409
#8  0x00007f7e8a153aaf in blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded (this=0x18147d81c138, child=..., newLogicalTop=..., layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:736
#9  0x00007f7e8a153e70 in blink::LayoutBlockFlow::layoutBlockChild (this=0x18147d81c138, child=..., layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:799
#10 0x00007f7e8a152bb4 in blink::LayoutBlockFlow::layoutBlockChildren (this=0x18147d81c138, relayoutChildren=true, layoutScope=..., beforeEdge=..., afterEdge=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1487
#11 0x00007f7e8a150d58 in blink::LayoutBlockFlow::layoutChildren (this=0x18147d81c138, relayoutChildren=true, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:549
#12 0x00007f7e8a1507b2 in blink::LayoutBlockFlow::layoutBlock (this=0x18147d81c138, relayoutChildren=true) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:428
#13 0x00007f7e8a13a42c in blink::LayoutBlock::layout (this=0x18147d81c138) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:409
#14 0x00007f7e8a153aaf in blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded (this=0x18147d81c010, child=..., newLogicalTop=..., layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:736
#15 0x00007f7e8a153e70 in blink::LayoutBlockFlow::layoutBlockChild (this=0x18147d81c010, child=..., layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:799
#16 0x00007f7e8a152bb4 in blink::LayoutBlockFlow::layoutBlockChildren (this=0x18147d81c010, relayoutChildren=true, layoutScope=..., beforeEdge=..., afterEdge=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1487
#17 0x00007f7e8a150d58 in blink::LayoutBlockFlow::layoutChildren (this=0x18147d81c010, relayoutChildren=true, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:549
#18 0x00007f7e8a1507b2 in blink::LayoutBlockFlow::layoutBlock (this=0x18147d81c010, relayoutChildren=true) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:428
#19 0x00007f7e8a13a42c in blink::LayoutBlock::layout (this=0x18147d81c010) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:409
#20 0x00007f7e8a153aaf in blink::LayoutBlockFlow::positionAndLayoutOnceIfNeeded (this=0x18147d804010, child=..., newLogicalTop=..., layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:736
#21 0x00007f7e8a153e70 in blink::LayoutBlockFlow::layoutBlockChild (this=0x18147d804010, child=..., layoutInfo=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:799
#22 0x00007f7e8a152bb4 in blink::LayoutBlockFlow::layoutBlockChildren (this=0x18147d804010, relayoutChildren=true, layoutScope=..., beforeEdge=..., afterEdge=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:1487
#23 0x00007f7e8a150d58 in blink::LayoutBlockFlow::layoutChildren (this=0x18147d804010, relayoutChildren=true, layoutScope=...) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:549
#24 0x00007f7e8a1507b2 in blink::LayoutBlockFlow::layoutBlock (this=0x18147d804010, relayoutChildren=true) at ../../third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp:428
#25 0x00007f7e8a13a42c in blink::LayoutBlock::layout (this=0x18147d804010) at ../../third_party/WebKit/Source/core/layout/LayoutBlock.cpp:409
#26 0x00007f7e8a2a27e2 in blink::LayoutView::layoutContent (this=0x18147d804010) at ../../third_party/WebKit/Source/core/layout/LayoutView.cpp:193
#27 0x00007f7e8a2a3056 in blink::LayoutView::layout (this=0x18147d804010) at ../../third_party/WebKit/Source/core/layout/LayoutView.cpp:284
#28 0x00007f7e89be52dc in blink::layoutFromRootObject (root=...) at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:1003
#29 0x00007f7e89be4e80 in blink::FrameView::performLayout (this=0x3d0249642478, inSubtreeLayout=false) at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:1090
#30 0x00007f7e89be21ab in blink::FrameView::layout (this=0x3d0249642478) at ../../third_party/WebKit/Source/core/frame/FrameView.cpp:1257
#31 0x00007f7e897ef3cc in blink::Document::implicitClose (this=0xd53c7a5baf0) at ../../third_party/WebKit/Source/core/dom/Document.cpp:2942
#32 0x00007f7e8a416a72 in blink::FrameLoader::checkCompleted (this=0xf736b482028) at ../../third_party/WebKit/Source/core/loader/FrameLoader.cpp:722
#33 0x00007f7e897feeb5 in blink::Document::decrementLoadEventDelayCountAndCheckLoadEvent (this=0xd53c7a5baf0) at ../../third_party/WebKit/Source/core/dom/Document.cpp:5861
#34 0x00007f7e898b1737 in blink::IncrementLoadEventDelayCount::clearAndCheckLoadEvent (this=0x2951f2d2d8d0) at ../../third_party/WebKit/Source/core/dom/IncrementLoadEventDelayCount.cpp:29

Reduced test case, I cannot reproduce it without using "zoom" property or with some bigger values for that property.

Deleted: fuzz-92-reduced.html 185 bytes

fuzz-92-reduced.html 185 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bccd320563864b14db492b37954bac2d9d63d548

commit bccd320563864b14db492b37954bac2d9d63d548
Author: svillar <svillar@igalia.com>
Date: Tue Feb 07 11:49:41 2017

[css-grid] Clamp the number of auto repeat tracks in all cases

In #446646 we added clamping of auto repetitions so that they respected
kGridMaxTracks. The problem is that we were doing it only if the number of
auto repeat tracks was >kGridMaxtracks. When the amount of auto-repeat
tracks was exactly kGridMaxTracks there was no clamping and thus, the sole
existence of one non auto repeat track was enough to surpass the limits.

Apart from that there were other non-handled cases, like having more than
kGridMaxTracks (both non auto repeat and auto repeat tracks) or having
a <track-list> in the auto repeat syntax with more than kGridMaxTracks
tracks.

BUG= 687941 

Review-Url: https://codereview.chromium.org/2670363003
Cr-Commit-Position: refs/heads/master@{#448602}

[modify] https://crrev.com/bccd320563864b14db492b37954bac2d9d63d548/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-auto-repeat-huge-grid.html
[modify] https://crrev.com/bccd320563864b14db492b37954bac2d9d63d548/third_party/WebKit/Source/core/layout/Grid.cpp
[modify] https://crrev.com/bccd320563864b14db492b37954bac2d9d63d548/third_party/WebKit/Source/core/layout/LayoutGrid.cpp
[modify] https://crrev.com/bccd320563864b14db492b37954bac2d9d63d548/third_party/WebKit/Source/core/layout/LayoutGrid.h

This should be fixed now.

ClusterFuzz has detected this issue as fixed in range 448599:448603.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4738207288918016

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  i < size() in Vector.h
  blink::GridIterator::nextGridItem
  blink::LayoutGrid::computeEmptyTracksForAutoRepeat
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=444813:444844
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=448599:448603

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94RtkOrVfXGDPxVStO1YnKWxs6QWyItiTg8K2h0272fK2c6LYI9JKgCgoiYIimKX3iyGOBdMTYGv6830YksXuVwBiBEi_1kOz8cFzSz6bkt5pDClUJ37MWKfg317odIX8K0IU1r0Uf9vEYDOYoX8gMZwkcq_tT7VH5HtbvJUHl8eNl95E_2lVhySNeB_5FIq_V9wAuYwhrNFIBYfgZRk1mbDtyA_48u_HGe8AM8h_WU0afcLa9FKjAcLAM6RyRl1d9yGnG8F3u-JSnV6xHJzQ0_cfezMm87YlWIl23WMBSOiAOdSaybqenqOLqM4RtotPZMD0QHThahSGATO8NBw5TYuazddF-Twjf93hL-Xes_9dj04M0?testcase_id=4738207288918016


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

If possible, could you please merge your change to M57 branch 2987 today before 5:00 PM PT, Wednesday (02/08/17). thank you.

Please merge your change to M57 branch 2987 before 5:00 PM PT, Friday 02/10 (sooner the better please) so we can take it in for next week beta release. Thank you.

Yes I'm on it

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/29c4b6656c5884a8541483f2fa7bce4eb5575c23

commit 29c4b6656c5884a8541483f2fa7bce4eb5575c23
Author: Sergio Villar Senin <svillar@igalia.com>
Date: Thu Feb 09 10:55:35 2017

[css-grid] Clamp the number of auto repeat tracks in all cases

In #446646 we added clamping of auto repetitions so that they respected
kGridMaxTracks. The problem is that we were doing it only if the number of
auto repeat tracks was >kGridMaxtracks. When the amount of auto-repeat
tracks was exactly kGridMaxTracks there was no clamping and thus, the sole
existence of one non auto repeat track was enough to surpass the limits.

Apart from that there were other non-handled cases, like having more than
kGridMaxTracks (both non auto repeat and auto repeat tracks) or having
a <track-list> in the auto repeat syntax with more than kGridMaxTracks
tracks.

BUG= 687941 

Review-Url: https://codereview.chromium.org/2670363003
Cr-Commit-Position: refs/heads/master@{#448602}
(cherry picked from commit bccd320563864b14db492b37954bac2d9d63d548)

Review-Url: https://codereview.chromium.org/2679303005 .
Cr-Commit-Position: refs/branch-heads/2987@{#402}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[modify] https://crrev.com/29c4b6656c5884a8541483f2fa7bce4eb5575c23/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-auto-repeat-huge-grid.html
[modify] https://crrev.com/29c4b6656c5884a8541483f2fa7bce4eb5575c23/third_party/WebKit/Source/core/layout/LayoutGrid.cpp
[modify] https://crrev.com/29c4b6656c5884a8541483f2fa7bce4eb5575c23/third_party/WebKit/Source/core/layout/LayoutGrid.h