Reproduced with:

$ gn gen //out/gn-vptr '--args=is_ubsan_vptr=true is_ubsan_no_recover=true is_debug=false is_component_build=false symbol_level=1 dcheck_always_on=true' --check
$ ninja -C out/gn-vptr extensions_unittests
$ ./out/gn-vptr/extensions_unittests --gtest_filter=CastSocketTest.TestConnectEndToEndWithRealTransportAsync

../../extensions/browser/api/cast_channel/cast_socket.cc:135:34: runtime error: member call on address 0x0ee75931bd40 which does not point to an object of type 'net::NetLog'
0x0ee75931bd40: note: object has invalid vptr
 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              invalid vptr
    #0 0x84dd657 in extensions::api::cast_channel::CastSocketImpl::CastSocketImpl(std::string const&, net::IPEndPoint const&, extensions::api::cast_channel::ChannelAuthType, net::NetLog*, base::TimeDelta const&
, bool, scoped_refptr<extensions::api::cast_channel::Logger> const&, unsigned long) out/gn-vptr/../../extensions/browser/api/cast_channel/cast_socket.cc:135:34
    #1 0x5ce83c in extensions::api::cast_channel::TestCastSocket::TestCastSocket(net::IPEndPoint const&, extensions::api::cast_channel::ChannelAuthType, long, extensions::api::cast_channel::Logger*, unsigned lo
ng) out/gn-vptr/../../extensions/browser/api/cast_channel/cast_socket_unittest.cc:193:9
    #2 0x5a4136 in CreateSecure out/gn-vptr/../../extensions/browser/api/cast_channel/cast_socket_unittest.cc:183:48
    #3 0x5a4136 in extensions::api::cast_channel::CastSocketTest::CreateCastSocketSecure() out/gn-vptr/../../extensions/browser/api/cast_channel/cast_socket_unittest.cc:360
    #4 0x5b42b4 in extensions::api::cast_channel::CastSocketTest_TestConnectEndToEndWithRealTransportAsync_Test::TestBody() out/gn-vptr/../../extensions/browser/api/cast_channel/cast_socket_unittest.cc:791:3
    #5 0x8892de6 in testing::Test::Run() out/gn-vptr/../../testing/gtest/src/gtest.cc:2474:5
    #6 0x88941bd in testing::TestInfo::Run() out/gn-vptr/../../testing/gtest/src/gtest.cc:2656:11
    #7 0x8895101 in testing::TestCase::Run() out/gn-vptr/../../testing/gtest/src/gtest.cc:2774:28
    #8 0x88a2207 in testing::internal::UnitTestImpl::RunAllTests() out/gn-vptr/../../testing/gtest/src/gtest.cc:4647:43
    #9 0x88a15d8 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*)
 out/gn-vptr/../../testing/gtest/src/gtest.cc:2458:12
    #10 0x88a13cc in testing::UnitTest::Run() out/gn-vptr/../../testing/gtest/src/gtest.cc:4255:10
    #11 0xa3deef in RUN_ALL_TESTS out/gn-vptr/../../testing/gtest/include/gtest/gtest.h:2237:46
    #12 0xa3deef in base::TestSuite::Run() out/gn-vptr/../../base/test/test_suite.cc:230
    #13 0xa4f594 in Run out/gn-vptr/../../base/callback.h:397:12
    #14 0xa4f594 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1> const&)
out/gn-vptr/../../base/test/launcher/unit_test_launcher.cc:206
    #15 0xa4f448 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1> const&) out/gn-vptr/../../base/test/launcher/unit_test_launcher.cc:445:10
    #16 0x9f848d in main out/gn-vptr/../../extensions/test/extensions_unittests_main.cc:122:10
    #17 0x7f021cd4df44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #18 0x53eb2c in _start (/usr/local/google/home/krasin/chr25/src/out/gn-vptr/extensions_unittests+0x53eb2c)

This also happens in a number of other test cases, so it is rather related to the test setup / teardown rather then its contents.

Okay, this one is easy:
https://cs.chromium.org/chromium/src/extensions/browser/api/cast_channel/cast_socket_unittest.cc?cl=GROK&gsn=Logger&q=extensions/browser/api/cast_channel/cast_socket_unittest.cc:193&sq=package:chromium&rcl=1464952570&l=196

explicit TestCastSocket(const net::IPEndPoint& ip_endpoint,
                        ChannelAuthType channel_auth,
                        int64_t timeout_ms,
                        Logger* logger,
                        uint64_t device_capabilities)
    : CastSocketImpl("some_extension_id",
                     ip_endpoint,
                     channel_auth,
                     &capturing_net_log_,
                     base::TimeDelta::FromMilliseconds(timeout_ms),
                     false,
                     logger,
                     device_capabilities),

capturing_net_log is not yet created, but already passed into CastSocketImpl constructor and used there.
The fix is https://codereview.chromium.org/2042493002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ce674bd826bdfc05b1b091ab062c386d56018d76

commit ce674bd826bdfc05b1b091ab062c386d56018d76
Author: krasin <krasin@google.com>
Date: Fri Jun 03 23:52:23 2016

Fix use-before-new issue in TestCastSocket.

A reference to capturing_net_log_ was passed into the base class constructor
and used before it was fully initialized. For the derived class the initialization
of the members happens stronly after the base constructors completed.

This fixes a bug found by UBSan Vptr.

BUG= 617206 

Review-Url: https://codereview.chromium.org/2042493002
Cr-Commit-Position: refs/heads/master@{#397846}

[modify] https://crrev.com/ce674bd826bdfc05b1b091ab062c386d56018d76/extensions/browser/api/cast_channel/cast_socket_unittest.cc