Assigning to the owner from find it, below are the results --
Suspected CLs	The result is a list of CLs that change the crashed files.

Author: bruthig
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/ca8b19cd01cfb691bfa31e4605f4204dd8da8aab
Time: Tue Nov 08 02:53:55 2016
Lines 319-356, 696-702 of file ink_drop_impl.cc which potentially caused crash are changed in this cl (frame #1, "views::InkDropImpl::HideHighlightOnRippleHiddenState::AnimationStarted"; frame #2, "AnimationStarted"; frame #3, "non-virtual thunk to views::InkDropImpl::AnimationStarted").
Minimum distance from crash line to modified line: 0. (file: ink_drop_impl.cc, crashed on: 696, modified: 696).

Suspected Project: chromium
Suspected Component: Internals>Views

@bruthig -- Could you please look into the issue, kindly reassign if the issue is not related to your change.
Thank You.

This is probably caused by my change, I will look.

It isn't exactly clear how this issue will manifest itself but it requires the following things to be true:
- the button has to be using an ink drop
- the button has to have keyboard focus
- a DEACTIVATED ink drop animation has to be triggered.

The underlying problem is that all animations are being aborted on a LayerAnimator which causes an AnimationStarted() handler to attempt to kick off another animation on an already destroyed InkDropRipple instance.

ajuma@, perhaps we can sync up offline about this, but as a client of the LayerAnimator API I am somewhat surprised that calling LayerAnimator::AbortAllAnimations() could possibly cause an AnimationStarted() event.  Is it intentional/desired that all sequences notify of a Started event before and Ended/Aborted event?

Quick fix here: https://codereview.chromium.org/2487723003/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/71e742597731adbca120dd6961dc8c5fe66bc1f0

commit 71e742597731adbca120dd6961dc8c5fe66bc1f0
Author: bruthig <bruthig@chromium.org>
Date: Tue Nov 08 19:07:24 2016

[ash-md] Fixed crash when DEACTIVATING a focused ink drop button.

Fixing regression caused by https://codereview.chromium.org/2447523002.

The issue is InkDropImpl::HideHighlightOnRippleHiddenState::AnimationStarted()
is trying to kick off an animation on an InkDropRipple instance that is already
being destroyed. This is due to a
LayerAnimationObserver::OnLayerAnimationStarted() event being raised within a
LayerAnimator::AbortAllAnimations() call. This change is a short term fix to
prevent crashes. We will need to investigate how/if the animation framework
should be supporting such a use case.

TEST=InkDropImplHideAutoHighlightTest.NoCrashDuringRippleTearDown
BUG= 663335 

Review-Url: https://codereview.chromium.org/2487723003
Cr-Commit-Position: refs/heads/master@{#430677}

[modify] https://crrev.com/71e742597731adbca120dd6961dc8c5fe66bc1f0/ui/views/animation/ink_drop_impl.cc
[modify] https://crrev.com/71e742597731adbca120dd6961dc8c5fe66bc1f0/ui/views/animation/ink_drop_impl_unittest.cc

 Issue 663364  has been merged into this issue.

Marking as fixed and spinning off issue 663579 to track follow up effort.

ClusterFuzz has detected this issue as fixed in range 430672:430792.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4723602365874176

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  views::InkDropRipple::HideImmediately
  views::InkDropImpl::HideHighlightOnRippleHiddenState::AnimationStarted
  views::InkDropImpl::AnimationStarted
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=430398:430495
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=430672:430792

Minimized Testcase (0.05 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97NBWHYHfpbP-bu40K_iuY4quAMef1VVVbrW6DLNo-mO42UhUigc3NBU3vk2O9htsjfuveFhq3GtG8kIUBY83_CN90-q89Stts6ySdUBvyv0nzz3ePO4rb5BE_67WbyFngQ7vEngJJsJS9E2ICh8XF2RWaKsA?testcase_id=4723602365874176
<script>
document.designMode = 'on';
; ;</script>


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot