Based on Findit results, assigning to tkent@, Would you mind checking the above issue & see if it's related, please re-assign if it is not related to your change.

Suspected CLs	The result is a list of CLs that change the crashed files.

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/8dcbfa5cdab0982e4ebc485a9c8e70e20cef5026
Time: Mon Mar 28 05:03:24 2016
File HTMLSelectElement.cpp is changed in this cl (and is part of stack frame #0, "blink::HTMLSelectElement::optionSelectionStateChanged"; frame #1, "blink::HTMLSelectElement::setOption")
Minimum distance from crash line to modified line: 36. (file: HTMLSelectElement.cpp, crashed on: 929, modified: 893).

Suspected Project: chromium
Suspected Component: Blink>HTML

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3d36d86ae85cb65f5b9e67a492cb5ee48e4ebd3b

commit 3d36d86ae85cb65f5b9e67a492cb5ee48e4ebd3b
Author: tkent <tkent@chromium.org>
Date: Wed Aug 03 05:46:59 2016

Delay DOM mutation events in HTMLSelectElement::setOption().

HTMLSelectElement::add() dispatches a DOM mutation event, and an event handler
can change the OPTION element state.  This CL fixes an assertion failure in
optionSelectionStateChanged() by delaying DOM mutation events by
EventQueueScope.

BUG= 633505 

Review-Url: https://codereview.chromium.org/2208483003
Cr-Commit-Position: refs/heads/master@{#409466}

[add] https://crrev.com/3d36d86ae85cb65f5b9e67a492cb5ee48e4ebd3b/third_party/WebKit/LayoutTests/fast/forms/select/select-add-assertion.html
[modify] https://crrev.com/3d36d86ae85cb65f5b9e67a492cb5ee48e4ebd3b/third_party/WebKit/Source/core/html/HTMLSelectElement.cpp

ClusterFuzz has detected this issue as fixed in range 409458:409520.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4907255420157952

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  option->ownerSelectElement() == this
  blink::HTMLSelectElement::optionSelectionStateChanged
  blink::HTMLSelectElement::setOption
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=383194:384202
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=409458:409520

Minimized Testcase (0.49 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94nm5wuPWi--ZqDbz-3uYizzdxJGUNal2bYe1iy2xZwMcdD13IVIrAMxrcTNP0Jw_2Pqu7poJNkMphazKQuRbFIBpcAbZPtUrI-rNGMKpC4oT_GieOd12Ct9cxsY5HML6dHAghtSI5qbQuakEDIbB3iX2kGtA?testcase_id=4907255420157952

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot