Cluster Fuzz points to the below change:

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 592 of file ObjectPainter.cpp, which is stack frame 0.

Not finding this appropriate change which could have resulted this crash. Using code search suspecting below change could be the possible culprit. 

Change URL: https://chromium.googlesource.com/chromium/src/+/5c70b66b1b9b5488460c8c048ff7c32542d4c36f

Review URL: https://codereview.chromium.org/1481483002

@ kojii: Assigning to you, request you to please take a look into it. Please help us to reassign it to a right owner if not with respect to your change.

Thanks.!

Looks like paint, stack #0 (before reformat) is a move from RenderObject
https://codereview.chromium.org/591613003

Marking untriaged for paint team to look at.

This might be a real issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c38aced892d8066f08f3babe797d0daca9f66611

commit c38aced892d8066f08f3babe797d0daca9f66611
Author: wkorman <wkorman@chromium.org>
Date: Sat Oct 08 01:59:13 2016

Fix integer overflow in ObjectPainter and divide by zero in Color.

BUG= 652589 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2404583002
Cr-Commit-Position: refs/heads/master@{#424041}

[modify] https://crrev.com/c38aced892d8066f08f3babe797d0daca9f66611/third_party/WebKit/Source/core/paint/ObjectPainter.cpp
[modify] https://crrev.com/c38aced892d8066f08f3babe797d0daca9f66611/third_party/WebKit/Source/platform/graphics/Color.cpp

ClusterFuzz has detected this issue as fixed in range 424037:424060.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6408289074282496

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::ObjectPainter::drawRidgeOrGrooveBoxSide
  blink::ObjectPainter::drawLineForBoxSide
  blink::ObjectPainter::paintOutline
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=370022:370027
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=424037:424060

Minimized Testcase (1.22 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95tMknXvxumLBieQf7vHskgEZ5_ghNhKt2wqRUPFJmXbP3IWh9zG-OKrkPMP-PCPz0YsHzkuz8l3b_2e1EObzHZYbdyOlq6b0uw_sktKUvzrpN3fO-aA1Lh19LksvqHfu5CYQCI8WWHyUmctAp0Sz37ThBImQ?testcase_id=6408289074282496

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f29fc457dc4b6663998a40958f782bfbb89d6dc0

commit f29fc457dc4b6663998a40958f782bfbb89d6dc0
Author: wkorman <wkorman@chromium.org>
Date: Wed Oct 12 00:51:45 2016

Revert int overflow changes to ObjectPainter.

Partial revert of http://crrev.com/2404583002 (keeping the divide-by-zero change
in Color). We don't consider these int overflow safeguards to be necessary in
this part of the code, per offline discussion with ubsan fuzzer folk and an
appropriate selection of Blink eng with fuzzing historical background.

BUG= 652589 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2408373002
Cr-Commit-Position: refs/heads/master@{#424620}

[modify] https://crrev.com/f29fc457dc4b6663998a40958f782bfbb89d6dc0/third_party/WebKit/Source/core/paint/ObjectPainter.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot