Through code search on file picture_layer_tiling.cc, suspected CL is
https://chromium.googlesource.com/chromium/src/+/a0c89995ac1b48c6886c0b339329bfdd42c27e7d%5E%21/#F0

+trchen who has proposals on how to fix this in ToEnclosedRect.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf

commit 7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf
Author: vmpstr <vmpstr@chromium.org>
Date: Fri May 12 17:00:28 2017

cc: Fix bugs found by fuzzer due to floating point imprecision.

This patch changes two things:
- For scales that are within epsilon value of 1, we use 1 directly since
minute differences could cause changes when multiplied by large values
- Changed the index generation to consider the fact that using wanted
pixels might grab more tiles than needed.

BUG= 707430 
R=enne@chromium.org, danakj@chromium.org
CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel

Review-Url: https://codereview.chromium.org/2816943004
Cr-Commit-Position: refs/heads/master@{#471342}

[modify] https://crrev.com/7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf/cc/tiles/picture_layer_tiling.cc
[modify] https://crrev.com/7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf/cc/tiles/picture_layer_tiling.h
[modify] https://crrev.com/7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf/cc/tiles/picture_layer_tiling_unittest.cc
[modify] https://crrev.com/7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf/third_party/WebKit/LayoutTests/platform/linux/animations/skew-notsequential-compositor-expected.png
[add] https://crrev.com/7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf/third_party/WebKit/LayoutTests/platform/linux/http/tests/inspector/network/waterfall-images-expected.png
[modify] https://crrev.com/7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf/third_party/WebKit/LayoutTests/platform/mac/animations/skew-notsequential-compositor-expected.png
[modify] https://crrev.com/7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf/third_party/WebKit/LayoutTests/platform/mac/css3/blending/background-blend-mode-overlapping-accelerated-elements-expected.png
[modify] https://crrev.com/7ff1f0e4e9ad3eef8f4a1e36c08b95237a1c4dcf/third_party/WebKit/LayoutTests/platform/win/animations/skew-notsequential-compositor-expected.png

ClusterFuzz has detected this issue as fixed in range 471325:471350.

Detailed report: https://clusterfuzz.com/testcase?key=6332073083404288

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !current_geometry_rect_.IsEmpty() in picture_layer_tiling.cc
  cc::PictureLayerTiling::CoverageIterator::operator++
  cc::PictureLayerTilingSet::CoverageIterator::operator++
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=446721:447186
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=471325:471350

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6332073083404288


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6332073083404288 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.