Using Find it assigning the issue to the concern owner. Below are the results --
The result is a list of CLs that change the crashed files. 

Author: pilgrim
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/3b3f02e103d299860a03d92e415b8fb697840c70
Time: Fri Dec 09 16:27:36 2016
Lines 85 of file InvalidatableInterpolation.cpp which potentially caused crash are changed in this cl (frame #4, "blink::InvalidatableInterpolation::maybeConvertPairwise"). 

File CSSInterpolationType.cpp is changed in this cl (and is part of stack frame #2, "blink::CSSInterpolationType::maybeConvertSingle")
Minimum distance from crash line to modified line: 0. (file: InvalidatableInterpolation.cpp, crashed on: 85, modified: 85). 

Author: alancutter
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/3ac8b90fcbda4c6e3ef484140751cd0341b31c48
Time: Thu Dec 08 22:51:03 2016
Lines 62, 92 of file InvalidatableInterpolation.cpp which potentially caused crash are changed in this cl (frame #4, "blink::InvalidatableInterpolation::maybeConvertPairwise").
Minimum distance from crash line to modified line: 0. (file: InvalidatableInterpolation.cpp, crashed on: 62, modified: 62). 

Author: alancutter
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/dbf9ff76db17cc97436ee43a53ff269af3a45231
Time: Fri Dec 09 05:15:54 2016
Lines 62, 92, 258 of file InvalidatableInterpolation.cpp which potentially caused crash are changed in this cl (frame #4, "blink::InvalidatableInterpolation::maybeConvertPairwise"; frame #6, "blink::InvalidatableInterpolation::applyStack").
Minimum distance from crash line to modified line: 0. (file: InvalidatableInterpolation.cpp, crashed on: 62, modified: 62). 

Author: alancutter
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/87ec6842397ca213e3216de27dd2a156ea01a342
Time: Fri Dec 09 09:42:25 2016
Lines 62, 92, 258 of file InvalidatableInterpolation.cpp which potentially caused crash are changed in this cl (frame #4, "blink::InvalidatableInterpolation::maybeConvertPairwise"; frame #6, "blink::InvalidatableInterpolation::applyStack").
Minimum distance from crash line to modified line: 0. (file: InvalidatableInterpolation.cpp, crashed on: 62, modified: 62).

@alancutter -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Test case:
<style>
@keyframes cfpulse1 { 0% { opacity: 0.0901; scroll-snap-type: initial } 
 1% { opacity: 0.0823; motion: path("M 13 2 h 11 v -53") 6772159099343311147963407119496477758278323944392504792520726726528445908706753060030057770863072007690525803528990028771578716997626504007399536732362342681220306922677405220428480102113641824539771557937974021684448585322739937495322648385679803197878862537591342648461579499923703493989594208073045976755073456313663842125268129997886257177874866252782866713636942669286588447097343808037614382288341687498451651245152153424054000300383726062592046846049867203248174598084843154rad 37%;  } 
 100% { opacity: 0.2893;  } }
* { animation-name: cfpulse1; animation-duration: 4s;


This is overflowing on the line:
    result.angle += primitiveValue.computeDegrees();

The overflow is already handled because immediately after we do:
    result.angle = clampTo<float>(result.angle);


I suppose we have to push the clamp up higher in the function to keep overflow detection happy.

Created patch: https://codereview.chromium.org/2594493002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ea473ab14a34a428db2ff8bbcb75e3378530e3a4

commit ea473ab14a34a428db2ff8bbcb75e3378530e3a4
Author: alancutter <alancutter@chromium.org>
Date: Wed Dec 21 01:16:54 2016

offset-rotate: Clamp rotation to float prior to assignment

This change moves a clampTo<float>() call to before float assignment
rather than after. This is intended to keep float overflow detection
happy and has no behavioural changes.

BUG= 675558 

Review-Url: https://codereview.chromium.org/2594493002
Cr-Commit-Position: refs/heads/master@{#439962}

[modify] https://crrev.com/ea473ab14a34a428db2ff8bbcb75e3378530e3a4/third_party/WebKit/LayoutTests/css3/motion-path/motion-rotation-overflow-crash.html
[modify] https://crrev.com/ea473ab14a34a428db2ff8bbcb75e3378530e3a4/third_party/WebKit/Source/core/css/resolver/StyleBuilderConverter.cpp

ClusterFuzz has detected this issue as fixed in range 439820:440026.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6456021724954624

Fuzzer: inferno_twister
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: Float-cast-overflow
Crash Address: 
Crash State:
  blink::StyleBuilderConverter::convertOffsetRotate
  blink::CSSOffsetRotateInterpolationType::maybeConvertValue
  blink::CSSInterpolationType::maybeConvertSingle
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=435261:438085
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_chrome&range=439820:440026

Minimized Testcase (0.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97TCy7tXLp-6xeX5leyHe147UKn0LcxLzLedzP8kr7C1TerP5WcQajH97zk6dd2K_RB862xmWdt9uLstY3LJGWuQU1BBYrPdOjpbRM4BOFEfD6GESpy-Bs0xgN_iG0I0vwCil15zv_0UE2nG6yppxcCHPZ2tw?testcase_id=6456021724954624

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.