Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/9831ecc703d4316100735d9ed9a86702d3a34652 (Disable non-composited animations via feature policy).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Xida, can I assign all of these to you? Predator is pretty convinced that the FP disable-layout-inducing-animations CLs are the cause of all of the undefined behaviour, where really it's just the fuzzer finally catching up with the code.

This is the third or fourth, but I'm sure not the last.

I will take a look, thanks

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ab7da7de5fe5dac9bab4789955a5fc146f9fa8a1

commit ab7da7de5fe5dac9bab4789955a5fc146f9fa8a1
Author: Xida Chen <xidachen@chromium.org>
Date: Thu Jan 10 18:46:30 2019

Apply clampTo<float> in LengthInterpolationFunctions::CreateLength

Right now in this function, it calls the PixelsAndPercent with passing
two double values, where the PixelsAndPercent takes two float as
arguments, and that could cause float-cast-overflow.

This CL fixes the issue by applying clampTo<float> to the double values
before passing to the PixelsAndPercent. A layout test is added to make
sure that it doesn't crash.

Bug:  920122 
Change-Id: I23f2e96cef9107989f1659ebd4910bd289f012dd
Reviewed-on: https://chromium-review.googlesource.com/c/1405169
Reviewed-by: Stephen McGruer <smcgruer@chromium.org>
Commit-Queue: Xida Chen <xidachen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#621670}
[modify] https://crrev.com/ab7da7de5fe5dac9bab4789955a5fc146f9fa8a1/third_party/blink/renderer/core/animation/length_interpolation_functions.cc
[modify] https://crrev.com/ab7da7de5fe5dac9bab4789955a5fc146f9fa8a1/third_party/blink/web_tests/animations/interpolation/clip-path-interpolation.html

ClusterFuzz has detected this issue as fixed in range 621648:621678.

Detailed report: https://clusterfuzz.com/testcase?key=6003250566004736

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::LengthInterpolationFunctions::CreateLength
  CreateBasicShape
  blink::basic_shape_interpolation_functions::CreateBasicShape
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:563900
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=621648:621678

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6003250566004736

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6003250566004736 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.