Assigning to the concern owner from find it, below is the find it results,
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: wangxianzhu
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7f71e43d525bcefd923a13c3460938be962f8ba4
Time: Mon Mar 28 21:17:11 2016
Files LayoutObject.cpp, LayoutSVGModelObject.cpp are changed in this cl (and is part of stack frame #0, "blink::LayoutObject::willBeDestroyed"; frame #2, "blink::LayoutObject::destroy"; frame #3, "blink::LayoutObject::destroyAndCleanupAnonymousWrappers")
Minimum distance from crash line to modified line: 3. (file: LayoutSVGModelObject.cpp, crashed on: 85, modified: 82).

Author: wangxianzhu
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/934f67a68da2054e526e13648c5452e2cf79c211
Time: Sat Mar 26 01:09:36 2016
Files LayoutObject.cpp, LayoutSVGModelObject.cpp are changed in this cl (and is part of stack frame #0, "blink::LayoutObject::willBeDestroyed"; frame #2, "blink::LayoutObject::destroy"; frame #3, "blink::LayoutObject::destroyAndCleanupAnonymousWrappers")
Minimum distance from crash line to modified line: 25. (file: LayoutSVGModelObject.cpp, crashed on: 85, modified: 60).

Suspected Component: chromium
Suspected Cr- Label: Cr-Blink-Layout

@wangxianzhu -- Could you please look into the issue. Pardon me if it has nothing to do with your changes and if possible please assign it to the concern Dev.
Thank You.

This seems that  bug 579000  occurs again. It seems that some image is null when this object is calling image->removeClient(this).

The crash stack appears to be related to SVGImage destruction.

hiroshige@, is there any chance this is related to your recent refactorings?

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5567138399518720

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::LayoutObject::willBeDestroyed
  blink::LayoutSVGModelObject::willBeDestroyed
  blink::LayoutObject::destroy
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=383194:384380

Minimized Testcase (2.14 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94maS6rmj1aEHBLovd1702aPXokB_c5uztpDqEKbEuyQrE5NHbaGL80-gGuHYm7FC2WtNxgPJ1Y_pEnpnFTroJTUsQsAOgMVXxFoQwchgYSp1i_OvBFYiWfi23KGSOBC2rbOQ_4s2y4MoZ-Sx1-Xk4wgAaN_A

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot