Unable to find the suspect using CL and find it.
Using Code Search for the file "V8CSSStyleDeclarationCustom.cpp" assigning it to the concern owner.

@meade -- -- Could you please look into the issue, pardon me if it has nothing to do with your changes and if possible please assign it to the concern owner.
Thank You.

Hey Tim, you've been working on custom property stuff recently, any ideas on what could be causing this?

There's a suspicious // TODO(leviw): This API doesn't support custom properties. here too.
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/bindings/core/v8/custom/V8CSSStyleDeclarationCustom.cpp?q=V8CSSStyleDeclarationCustom&sq=package:chromium&l=220

I probably broke it in https://codereview.chromium.org/2288633002, will have a look shortly.

 Issue 642821  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0dcfd301c47f8510004c295f14f348fd601e2c4e

commit 0dcfd301c47f8510004c295f14f348fd601e2c4e
Author: timloh <timloh@chromium.org>
Date: Mon Sep 05 06:06:17 2016

Fix assertion when trying to set custom properties as named properties

This patch fixes a bug where trying to access a custom property as a
named property causes an assertion (e.g. e.style['--foo'] = 'a').
None of the named-property handling code on CSSStyleDeclaration should
support custom properties (we should actually use attributes instead of
named properties, crbug.com/628785, but that's another issue).

The added test already passes in Firefox.

BUG= 643194 

Review-Url: https://codereview.chromium.org/2308373002
Cr-Commit-Position: refs/heads/master@{#416502}

[add] https://crrev.com/0dcfd301c47f8510004c295f14f348fd601e2c4e/third_party/WebKit/LayoutTests/fast/css/variables/accessing-variable-as-named-property.html
[modify] https://crrev.com/0dcfd301c47f8510004c295f14f348fd601e2c4e/third_party/WebKit/Source/bindings/core/v8/custom/V8CSSStyleDeclarationCustom.cpp

The older reward-topanel  issue 642821  has been merged into this one. Please manually review this issue to see if the duplicate is potentially eligible for a reward.

 Issue 643829  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 416466:416526.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5967172285497344

Fuzzer: attekett_dom_fuzzer
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  id >= firstCSSProperty && id <= lastUnresolvedCSSProperty
  blink::getPropertyName
  blink::V8CSSStyleDeclaration::namedPropertySetterCustom
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=415049:415582
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=416466:416526

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94w4yl_KEFXXuoe-Qpzv2i6K6G5GR0dMwnHyf83sI7LlLOGpnHJ-r07_JQCsJz2oZqrIiN5ghU2yo_R9ng8Sqq8fpAKY4U2PjkFVZYV8XzHydX8wm3aMvUEVIY70TzjFg1OMqBsSKzw_K7X3nMw1AMUxtt3tA?testcase_id=5967172285497344
   bug 399941 .html<script> 
var test6=document.body.appendChild(document.createElement("param"))
test6.style['--tab-color']='';
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 644149  has been merged into this issue.

 Issue 643186  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot