based on Findit results assigning to mstensho@, could you please check the issue and help.

The result is a list of CLs that change the crashed files. 

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/95342a4986af56783818b4a7f578f4b3b2bf5f2b
Time: Wed Dec 07 21:19:40 2016
File LayoutBox.cpp is changed in this cl (and is part of stack frame #3, "blink::LayoutBox::pageRemainingLogicalHeightForOffset")
Minimum distance from crash line to modified line: 55. (file: LayoutBox.cpp, crashed on: 5596, modified: 5541).

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0b389da84405eef38ee9f9e54f51352a6c1508f3

commit 0b389da84405eef38ee9f9e54f51352a6c1508f3
Author: mstensho <mstensho@opera.com>
Date: Mon Feb 27 13:47:02 2017

Allow flow thread portion logical bottom to be above its logical top.

We used to try to prevent this, as an attempt to make sure that no
fragmentainer group would have overlapping flow thread portion rectangles with
other fragmentainer groups. But that was already easily achievable with e.g. an
empty block between two column spanners anyway.

There is a legitimate reason for the flow thread portion bottom to be above the
top: negative margins.

Introduce MultiColumnFragmentainerGroup::logicalHeightInFlowThreadAt().
Less duplicated code. Some extra care is now needed, to make sure that we don't
end up with negative logical heights.

BUG= 688760 , 683090 , 683554 

Review-Url: https://codereview.chromium.org/2709013007
Cr-Commit-Position: refs/heads/master@{#453201}

[add] https://crrev.com/0b389da84405eef38ee9f9e54f51352a6c1508f3/third_party/WebKit/LayoutTests/fast/multicol/span/spanner-after-negative-margin-bottom-crash-2.html
[add] https://crrev.com/0b389da84405eef38ee9f9e54f51352a6c1508f3/third_party/WebKit/LayoutTests/fast/multicol/span/spanner-after-negative-margin-bottom-crash.html
[modify] https://crrev.com/0b389da84405eef38ee9f9e54f51352a6c1508f3/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp
[modify] https://crrev.com/0b389da84405eef38ee9f9e54f51352a6c1508f3/third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.h
[modify] https://crrev.com/0b389da84405eef38ee9f9e54f51352a6c1508f3/third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.cpp
[modify] https://crrev.com/0b389da84405eef38ee9f9e54f51352a6c1508f3/third_party/WebKit/Source/core/layout/MultiColumnFragmentainerGroup.h

ClusterFuzz has detected this issue as fixed in range 453196:453210.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4912305432428544

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  blink::LayoutFlowThread::pageRemainingLogicalHeightForOffset
  blink::LayoutBox::pageRemainingLogicalHeightForOffset
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=436997:437094
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=453196:453210

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94QTjkZXqtzJloEGc_Zw2mvuD3_PB8u08X4XpaI9DzJYxd1McmPSMUTg-rpiinMu8Zi04bKM8MIvGVJ4NekUJUXniv4z_-TfBdm6_2EhDHIEBud3orvGZDG6N6p0ttkkQBqpH4_ukiVEPNWUto08jwZbffTMOwLXBqXRQnIdjOE_QbphwutAH3iZJIBunAS7qRpZkU8X8z0e6yWgXZWs3tFVh0pHS_P5PjUMzb28MKSAFe1ntHMMUlu6UMvGtTjP1uie3tS3AJnHG8T7oQTfpAhRVg6lSOK8986k2PpVyb_j9VgIgGJ0ylLLvtV39V1EjvKHegWYAIZ0gbFE1_enNyNNCmc5NPlH_onKE20fhAL_GLolpY?testcase_id=4912305432428544


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.