Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/7fa349e632a44c152b05ca6a66ade5f2e5b3f139
Time: Thu Mar 02 22:39:16 2017
File LayoutMultiColumnSet.cpp is changed in this cl (and is part of stack frame #1, "blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset")
Minimum distance from crash line to modified line: 96. (file: LayoutMultiColumnSet.cpp, crashed on: 147, modified: 243).

@mstensho -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1ade7ad316d84cfceaf7980c4d14bd79aaea0ebc

commit 1ade7ad316d84cfceaf7980c4d14bd79aaea0ebc
Author: mstensho <mstensho@opera.com>
Date: Wed Mar 29 05:16:32 2017

Stop appending fragmentainer groups when flow thread offset approaches infinity.

The final column height is a function of the difference between the logical
bottom and logical top of the flow thread portion of a given fragmentainer
group. If the logical top is LayoutUnit::max(), we know for sure that the
bottom won't be any larger than that. Just give up in such cases (and keep
using the current fragmentainer group), rather than ending up dividing by zero.

BUG= 703543 

Review-Url: https://codereview.chromium.org/2784493002
Cr-Commit-Position: refs/heads/master@{#460284}

[add] https://crrev.com/1ade7ad316d84cfceaf7980c4d14bd79aaea0ebc/third_party/WebKit/LayoutTests/fast/multicol/doubly-nested-with-insane-child-height-crash.html
[modify] https://crrev.com/1ade7ad316d84cfceaf7980c4d14bd79aaea0ebc/third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp

ClusterFuzz has detected this issue as fixed in range 458746:463137.

Detailed report: https://clusterfuzz.com/testcase?key=5823814069125120

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  blink::LayoutMultiColumnSet::pageRemainingLogicalHeightForOffset
  blink::LayoutBlockFlow::estimateLogicalTopPosition
  blink::LayoutBlockFlow::layoutBlockChild
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=454393:454446
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv97tPgTQGKo2axqkivY6nhZGw896IaisccXNiJt7Bp5xPTNPs9Patv-c1ceu84ZY90QeaxrDM14JBBrvIBXzhgepL3js8zu7ZDB7f5PyC8OnPx8rVpSsxz3EHVaDzLt1PJgW3QT6K9h25MhiaXtr5vQAHmD7TK97KDF37jS446bmUvI_R3FU2cydFM3mhj2gjrtHv7qp_8MrngEQpGAGGdRvKMlUK63qyQ2a1ja21TkLqZB8eT4pUI3NsY6QLxkk5MZ42SdTs5U27uvYt9P0uxq8I3jIrs3YGq3i30xLfELOWrrC67fk98_YSxaDcl1LEjd8JlXKZDCNnbz0qD4W5R6oPynpfzUQsFeAfRJOgA6VdiYWIQ8?testcase_id=5823814069125120


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.