This is a spin-off bug from  issue 610021 /631015/756613.

The CHECK failure happens during a family of telemetry tests. These tests internally inject pinch events in the center of <body> element. When the page zooms in, the center point may no longer be inside of the view bounds, thus triggering the CHECK.

I uploaded a CL to fix those tests (reviewing, expected to land soon) so they no longer inject invalid points, but I think this needs further investigation.

The test inject input events via chrome.gpuBenchmarking.pinchBy, which is a native method implemented by GpuBenchmarking::PinchBy(). This means although under normal circumstances the invalid values can only come from internal code, the values come from the renderer process, which is the other side of security boundary. A compromised renderer process shouldn't be able to crash the browser process.

The involved call stack looks like this:

chrome.gpuBenchmarking.pinchBy
GpuBenchmarking::PinchBy
RenderWidget::QueueSyntheticGesture
(IPC)InputHostMsg_QueueSyntheticGesture
RenderWidgetHostImpl::OnQueueSyntheticGesture
RenderWidgetHostImpl::QueueSyntheticGesture
SyntheticGestureController::QueueSyntheticGesture
SyntheticGestureController::StartGesture
SyntheticGestureController::StartTimer
(Timer)
SyntheticGestureController::DispatchNextEvent
SyntheticGesture::ForwardInputEvents
SyntheticTouchscreenPinchGesture::ForwardInputEvents
SyntheticTouchscreenPinchGesture::ForwardTouchInputEvents
SyntheticTouchDriver::DispatchEvent
SyntheticGestureTargetBase::DispatchInputEventToPlatform

I think we should make the contract clear whether the synthetic event subsystem should accept invalid inputs. If yes, it should handle the failure gracefully. If not, then RenderWidgetHostImpl should sanitize inputs, or even kill the misbehaving renderer process.