Minimum repro:

<script>
function jsfuzzer() {
 document.body.style.display = "none";
 input.value = "23:59";
}
</script>
<body onload=jsfuzzer()>
<style></style>
<input id="input" type="time" autofocus onblur="this.type = 'search';">

DateTimeEditElement::layout() carefully moves element focus to avoid to dispatch focus/blur events on the host element. However,

1. |document.body.style.display = "none"| doesn't remove focus from |input| immediately.  It just schedules delaying focusability check.
2. DateTimeEditElement::layout() recreates UA shadow elements, but it fails to focus on new UA shadow element because the host is not focusable. So, 'blur' is dispatched in the function unexpectedly.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b998a64a0f1a925cfae371a52562ee5b7c9b4c17

commit b998a64a0f1a925cfae371a52562ee5b7c9b4c17
Author: tkent <tkent@chromium.org>
Date: Fri Dec 09 11:03:18 2016

INPUT element: Do not use identical ID name for SearchFieldCancelButtonElement and ClearButtonElement.

Using identical ID for different Element subclasses is dangerous.
This CL avoids a runtime CHECK failure.

BUG= 669847 

Review-Url: https://codereview.chromium.org/2568443002
Cr-Commit-Position: refs/heads/master@{#437516}

[add] https://crrev.com/b998a64a0f1a925cfae371a52562ee5b7c9b4c17/third_party/WebKit/LayoutTests/fast/forms/search/search-type-change-crash.html
[modify] https://crrev.com/b998a64a0f1a925cfae371a52562ee5b7c9b4c17/third_party/WebKit/Source/core/html/forms/SearchInputType.cpp
[modify] https://crrev.com/b998a64a0f1a925cfae371a52562ee5b7c9b4c17/third_party/WebKit/Source/core/html/shadow/DateTimeEditElement.cpp
[modify] https://crrev.com/b998a64a0f1a925cfae371a52562ee5b7c9b4c17/third_party/WebKit/Source/core/html/shadow/ShadowElementNames.cpp
[modify] https://crrev.com/b998a64a0f1a925cfae371a52562ee5b7c9b4c17/third_party/WebKit/Source/core/html/shadow/ShadowElementNames.h
[modify] https://crrev.com/b998a64a0f1a925cfae371a52562ee5b7c9b4c17/third_party/WebKit/Source/core/html/shadow/TextControlInnerElements.cpp

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5588823921917952

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !element || (element->isClearButtonElement()) in ClearButtonElement.h
  blink::MultipleFieldsTemporalInputTypeView::clearButtonElement
  blink::MultipleFieldsTemporalInputTypeView::updateClearButtonVisibility
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=434865:434912
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (1.41 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96JQXwuPzsPiPUPrdzfv9bySmgrFgQrtErw4JwsYJmnNNJ67TS8VCPcewVMutEimjUbivRaoRexLPWN71wNhmmX9aD_Z6cqTEi_X7oGj1TUqjs0jQyHT4p4DVxj4tkQXmqbYmELmeSyQPD6gYMKV7VGnuP84g?testcase_id=5588823921917952

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.