Suspecting:

Author: sigbjornf
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/3e5bcb132b1af136ba6faa1c152dcba2c298549f
Time: Mon May 23 14:28:16 2016
The CL last changed line 64 of file Persistent.h, which is stack frame 3.

@sigbjornf: Could you please look into this issue.

Thank you.

It is not too interesting to look for suspects at the top of the stack for these kinds of bugs..

Re-assigning to tzik@ -- a (too) late shutdown of a geolocation callback object. A latent problem perhaps, but its intro is related to  https://codereview.chromium.org/2091713002 

 Issue 628140  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/33871d83b7ee98a1aa5692f8f835d44b7da65ef5

commit 33871d83b7ee98a1aa5692f8f835d44b7da65ef5
Author: tzik <tzik@chromium.org>
Date: Thu Jul 14 12:12:06 2016

Pass weak pointer by ref in Bind implementation

Weak pointer in Bind impl is historically passed by value, however when
a blink::WeakPersistent is passed as a receiver of a method after
blink::ThreadState is destroyed, it can no longer be copied and causes
crash.

BUG= 627820 

Review-Url: https://codereview.chromium.org/2145383002
Cr-Commit-Position: refs/heads/master@{#405475}

[modify] https://crrev.com/33871d83b7ee98a1aa5692f8f835d44b7da65ef5/base/bind_internal.h

ClusterFuzz has detected this issue as fixed in range 405467:405481.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6417573642240000

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_media
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::ThreadState::getPersistentRegion
  blink::PersistentBase<blink::Geolocation,
  base::internal::Invoker<base::internal::BindState<void
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=403412:403423
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_media&range=405467:405481

Minimized Testcase (6.00 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97L3fGlg3yllUeWMaJ_aZhfYV3ghGw4foNDNGacJWfmA98jKzfbQ8iyB7loZzRcWvu7IDbWwdkYapfgEySpqGr_yfp6jai9LlTiWruUBd7SNiPL22CqW9SVTNuoXsLRspSVkS2ZYlCPf4wNm1ug5W2CaGiZ0g?testcase_id=6417573642240000

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot