Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/6534acd9b94a260ccf88ccdfd7ab8b3859349082 ([css-grid] Baseline alignment inside the tracks sizing algorithm).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

I can confirm the issue. 
Attached a simplified test case and already working on a fix.

Deleted: crash-baseline-flex-and-relative-height.html 151 bytes

crash-baseline-flex-and-relative-height.html 151 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c50358db56dd90d2b43c59e9bf64d3911e54e6f4

commit c50358db56dd90d2b43c59e9bf64d3911e54e6f4
Author: Javier Fernandez <jfernandez@igalia.com>
Date: Mon Jul 02 14:04:15 2018

[css-grid] Use AvailableSpace to detect grids with indefinite sizes

The spec considers flexible tracks as content-sized if the grid has an
indefinite size. We were using FreeSpace to determine this case as part
of the IsIntrinsicSizedGridArea, which is incorrect since that function
returns a different value before, during and after running the tracks
sizing algorithm.

We use the IsIntrinsicSizedGridArea function to detect cyclic sizing
dependencies in grid items, so that such items can participate in
baseline alignment. Hence, using the FreeSpace function lead to
inconsistent behavior in some cases, like the one described in the
bug this CL tries to fix.

Bug:  859374 
Change-Id: Ifa90cdad6703c3b5e55a7230f85bc4ef63bf32d3
Reviewed-on: https://chromium-review.googlesource.com/1122217
Commit-Queue: Javier Fernandez <jfernandez@igalia.com>
Reviewed-by: Sergio Villar <svillar@igalia.com>
Cr-Commit-Position: refs/heads/master@{#571885}
[modify] https://crrev.com/c50358db56dd90d2b43c59e9bf64d3911e54e6f4/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-self-baseline-and-flexible-tracks-should-not-crash.html
[modify] https://crrev.com/c50358db56dd90d2b43c59e9bf64d3911e54e6f4/third_party/blink/renderer/core/layout/grid_track_sizing_algorithm.cc

This issue should be FIXED now.

ClusterFuzz has detected this issue as fixed in range 571884:571885.

Detailed report: https://clusterfuzz.com/testcase?key=4859037116792832

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000000
Crash State:
  blink::BaselineContext::FindCompatibleSharedGroup
  blink::GridBaselineAlignment::BaselineOffsetForChild
  blink::GridTrackSizingAlgorithm::BaselineOffsetForChild
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=562405:562409
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=571884:571885

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4859037116792832

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4859037116792832 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.