From findit tool:

Author: danakj
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/0b5c86b7b67ab235998e7dcddc00df65d833f87d
Time: Sat Feb 27 02:08:05 2016
The CL last changed line 242 of file InlineBox.cpp, which is stack frame 4.

That CL is "Rename enums/functions that collide in chromium style in core/layout/." Renaming won't be causing this.

Maybe send this to the layout owners if there's nothing more obvious?

This is just an overzealous assert when hit testing an empty container.

Deleted: svgcrash.html 200 bytes

svgcrash.html 200 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0bb88dbb01568d8f386365abac2bfd148bb9b2b6

commit 0bb88dbb01568d8f386365abac2bfd148bb9b2b6
Author: pdr <pdr@chromium.org>
Date: Fri Aug 12 03:17:18 2016

Skip hit testing containers with invalid bounding boxes

When an SVG container has no children, it's bounding box is considered
invalid. We had an assert that would fire when hit testing invalid
containers, but this assert should just be an if statement because it
is okay to hit test empty containers.

BUG= 629274 

Review-Url: https://codereview.chromium.org/2234173002
Cr-Commit-Position: refs/heads/master@{#411536}

[add] https://crrev.com/0bb88dbb01568d8f386365abac2bfd148bb9b2b6/third_party/WebKit/LayoutTests/svg/hittest/empty-container.html
[modify] https://crrev.com/0bb88dbb01568d8f386365abac2bfd148bb9b2b6/third_party/WebKit/Source/core/layout/svg/LayoutSVGContainer.cpp

No need to merge this patch.

ClusterFuzz has detected this issue as fixed in range 411529:411868.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6578665416818688

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  isObjectBoundingBoxValid()
  blink::LayoutSVGContainer::nodeAtFloatPoint
  blink::LayoutSVGRoot::nodeAtPoint
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=268656:269696
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=411529:411868

Minimized Testcase (0.45 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95TqUbGwfgewpnXGpmdFd9xnlu08ko2nluPFCAp367v58aqRygjrLawzYBj95hShYmH_ii62tPCPnbEMNbb8OhY_LimCYcwoWxQgrhR1DY3nJwEIc02w9Guv1an0JfmKdEp_-nf8OTD4lC3lqSBmSgyH90How?testcase_id=6578665416818688
<style>#svgRoot {
    pointer-events: bounding-box
</style>
        <svg id=svgRoot>
            <g>
        <script>
            var text2 = document.getElementById("text2");
            var pointsInsideBBoxOfCircle1 = [
            ];
            var pointsOnText2 = [
                {x: 178, y: 146}
            ];
            pointsOnText2.forEach( function(point) {
text2 == document.elementFromPoint(point.x, point.y);
            });
            </script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.