Again, that assert is a red herring (assert on exit after crash). The real bug looks to be in ShaderTranslator::Translate().

#0 0x000000462c70 __interceptor_backtrace
#1 0x0000006f0248 base::debug::StackTrace::StackTrace()
#2 0x0000005970a2 logging::LogMessage::~LogMessage()
#3 0x000000dec60f gpu::gles2::VertexArrayManager::~VertexArrayManager()
#4 0x000000a5ae62 gpu::gles2::GLES2DecoderImpl::~GLES2DecoderImpl()
#5 0x000000a5e228 gpu::gles2::GLES2DecoderImpl::~GLES2DecoderImpl()
#6 0x00000049af7e gpu::(anonymous namespace)::CommandBufferSetup::~CommandBufferSetup()
#7 0x00000044f284 MSanAtExitWrapper()
#8 0x7efdb69ba1a9 <unknown>
#9 0x7efdb69ba1f5 exit
#10 0x0000004bb035 fuzzer::Fuzzer::CrashCallback()
#11 0x0000004bae59 fuzzer::Fuzzer::StaticCrashSignalCallback()
#12 0x00000044edc9 SignalHandler()
#13 0x7efdb6f69330 <unknown>
#14 0x000000d4d63a std::__1::__hash_table<>::find<>()
#15 0x000000d3a48c gpu::gles2::ShaderTranslator::Translate()
#16 0x000000d266b5 gpu::gles2::Shader::DoCompile()
#17 0x0000009a7253 gpu::gles2::GLES2DecoderImpl::HandleGetShaderInfoLog()
#18 0x000000ab3846 gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<>()
#19 0x000000e1a3d2 gpu::CommandParser::ProcessCommands()
#20 0x0000008c3df2 gpu::CommandExecutor::PutChanged()
#21 0x00000049cfaa gpu::(anonymous namespace)::CommandBufferSetup::PumpCommands()
#22 0x000000497da7 LLVMFuzzerTestOneInput
#23 0x0000004c2fc2 fuzzer::Fuzzer::ExecuteCallback()
#24 0x0000004c0ad5 fuzzer::Fuzzer::RunOne()
#25 0x0000004a0223 fuzzer::RunOneTest()
#26 0x0000004a809e fuzzer::FuzzerDriver()
#27 0x0000004dd551 main
#28 0x7efdb699ff45 __libc_start_main
#29 0x000000429315 <unknown>

Bisected this to https://codereview.chromium.org/2345763003, the angle rev 09cfac6..8b28a8b
This includes 28b6528ca2119d6715bb5e9eafa5a2dc8c968361 "Add a fuzzer for the shader translator"

My suspicion is that there is this define, ANGLE_TRANSLATOR_DISABLE_POOL_ALLOC, which is set inside of angle if libfuzzer is on, but is not pushed to the dependent configs, and so there is a mismatch between headers and library.

Yeah, confirming that locally commenting the  'defines += [ "ANGLE_TRANSLATOR_DISABLE_POOL_ALLOC" ]' line fixes it.

 Issue 648047  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7265052d46cd24c7f9665bd298f8d878ef12274e

commit 7265052d46cd24c7f9665bd298f8d878ef12274e
Author: cwallez <cwallez@chromium.org>
Date: Thu Sep 22 03:52:12 2016

Roll ANGLE 8b28a8b..c287ea6

https://chromium.googlesource.com/angle/angle.git/+log/8b28a8b..c287ea6

BUG= chromium:644033 , chromium:637050 ,648462, chromium:647807 

TBR=geofflang@chromium.org

TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Review-Url: https://codereview.chromium.org/2357933002
Cr-Commit-Position: refs/heads/master@{#420258}

[modify] https://crrev.com/7265052d46cd24c7f9665bd298f8d878ef12274e/DEPS

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 420204:420295.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4751124286668800

Fuzzer: libfuzzer_gpu_fuzzer
Job Type: libfuzzer_chrome_msan
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  vertex_attrib_manager_count_ == 0u in vertex_array_manager.cc
  gpu::gles2::VertexArrayManager::~VertexArrayManager
  gpu::gles2::GLES2DecoderImpl::~GLES2DecoderImpl
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=418965:419032
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_msan&range=420204:420295

Minimized Testcase (0.73 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95L3_AtRMShZxeBMtBMyTrKLgOEvoywZjsq3WEnkfXFcfjPQ-oT4Q8KJ_4mkRufCoK8zS_DqsSc3q6ztH8MYg4vsnKeBvTjFnC4YMNHrrtxSoxhLyjs00k_UVaLiuJJbBIFTmFCoOZKARSXW5ZNKTgtLh3B0g?testcase_id=4751124286668800

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot