Unable to find the suspect using Find it.
From regression range assigning to the concern owner --
https://chromium.googlesource.com/chromium/src/+log/b077d802dd71ab917f22c2be4afe07a3564d150b..284922e2eac8d3ee806dbbad8ac322bd4a379079?pretty=fuller

Suspecting the following Commit#
https://chromium.googlesource.com/chromium/src/+/87dc599743f71d33466ac56a8db5a53c5f6ce46c

@yukishiino -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

I don't know why "Crash Type:" is "Integer-overflow".  It must actually be "CHECK failure" seeing the stack trace.  Probably a cluster fuzz's issue?

Anyway, this is a dup of Issue 669968.

ClusterFuzz has detected this issue as fixed in range 435261:438085.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6157715694157824

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Integer-overflow
Crash Address: 
Crash State:
  blink::WindowProxy::updateDocumentProperty
  blink::WindowProxy::updateDocument
  blink::WindowProxy::initialize
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435209:435261
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085

Minimized Testcase (0.56 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94zJ0bul6GnphkmUzZKLZZNG2fO3q8Bcmfk1G29dBRIeM5O-Cc1sr6OwVJb81vWk3t7lz2_-k-Cu_QVKt_2d_xzXfp-jCuN4zi8byj6csqU88tzPG79vRMQ5WF4tbJzWFK-D6UMq4er94XJzfqqxZZ2Ps6hag?testcase_id=6157715694157824

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.