Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/6534acd9b94a260ccf88ccdfd7ab8b3859349082 ([css-grid] Baseline alignment inside the tracks sizing algorithm).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is exactly the same problem than the one described in  issue #867833 

For some reason, clusterfuzz can't process  issue #867833 , so perhaps it'd be a good idea to continue working on this and leave the older one as closed. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/48e9d03178ecbf89c5677e08f22ac8c6e366a6ff

commit 48e9d03178ecbf89c5677e08f22ac8c6e366a6ff
Author: Javier Fernandez <jfernandez@igalia.com>
Date: Thu Aug 30 21:56:23 2018

[css-grid] Compute again the baseline offsets during step 3

The new Baseline Alignment algorithm states that items with sizing
cyclic dependencies must be excluded from any baseline context they
participate in. One of these cyclic dependencies can happen with
intrinsic sized grid areas and relative items.

The grid spec states [1] that flex-sized tracks should be considered
as content-sized when the grid container has an indefinite size. We
were using the AvailableSize(direction) function to determine whether
the grid container is indefinite or not. However, this function may
provide different results during the different phases of the grid
layout logic. This issue causes assert violations like the one
described in the bugs listed below.

The new Baseline Alignment logic is now integrated in the Grid Track
sizing algorithm. Hence, we need to ensure that an item that
participates in any baseline alignment context during the track sizing
also does during the alignment phase, at the end of the grid layout
logic. In order to achieve that, this CL forces a new computation of
the Baseline offsets during the step 3 of the Grid sizing algorith,
since during this step the available space is not indefinite anymore.

It's worth mentioning that this change assumes the issue grid items
being excluded and included of Baseline Context during the different
phases of the Grid sizing algorithm, which I hope we can clarify in
the issue [2] I filed for the CSS WG.

[1] https://drafts.csswg.org/css-grid/#fr-unit
[2] https://github.com/w3c/csswg-drafts/issues/3046

Bug:  867833 ,  874861 ,  876593 
Change-Id: I668d399b920c9280a8e20b3e8362f562eded4770
Reviewed-on: https://chromium-review.googlesource.com/1177757
Reviewed-by: Sergio Villar <svillar@igalia.com>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Commit-Queue: Javier Fernandez <jfernandez@igalia.com>
Cr-Commit-Position: refs/heads/master@{#587799}
[modify] https://crrev.com/48e9d03178ecbf89c5677e08f22ac8c6e366a6ff/third_party/WebKit/LayoutTests/external/wpt/css/css-grid/alignment/grid-self-baseline-not-applied-if-sizing-cyclic-dependency-001.html
[modify] https://crrev.com/48e9d03178ecbf89c5677e08f22ac8c6e366a6ff/third_party/WebKit/LayoutTests/external/wpt/css/css-grid/alignment/grid-self-baseline-not-applied-if-sizing-cyclic-dependency-002.html
[add] https://crrev.com/48e9d03178ecbf89c5677e08f22ac8c6e366a6ff/third_party/WebKit/LayoutTests/fast/css-grid-layout/grid-self-baseline-and-flex-tracks-with-indefinite-container-crash.html
[modify] https://crrev.com/48e9d03178ecbf89c5677e08f22ac8c6e366a6ff/third_party/blink/renderer/core/layout/grid_track_sizing_algorithm.cc

This issue should be FIXED now.

ClusterFuzz has detected this issue as fixed in range 587791:587801.

Detailed report: https://clusterfuzz.com/testcase?key=5106850899689472

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x00000000
Crash State:
  blink::BaselineContext::FindCompatibleSharedGroup
  blink::GridBaselineAlignment::BaselineOffsetForChild
  blink::GridTrackSizingAlgorithm::BaselineOffsetForChild
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=562405:562409
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=587791:587801

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5106850899689472

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5106850899689472 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.