Find it and CL did not provide any possible suspects.
Using Code Search for the file, "mediastream.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/d4833220d8d9320deb606a0068a332a046486c95

@haraken -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

jrummell@: Would you mind taking a look at this?

Not sure about the crash stack.

chrome_child!blink::MediaStream::streamEnded+0x6 [third_party/webkit/source/modules/mediastream/mediastream.cpp @ 298]
chrome_child!base::internal::CheckedNumeric<__int64>::operator+=+0x1e (Inline Function @ 6c05ae73) (CONV: thiscall) [base/numerics/safe_math.h @ 451]
chrome_child!base::time_internal::SaturatedAdd+0x24 (FPO: [Non-Fpo]) (CONV: cdecl) [base/time/time.cc @ 107]
chrome_child!blink::MediaStreamSource::setReadyState+0x45 [third_party/webkit/source/platform/mediastream/mediastreamsource.cpp @ 67]
chrome_child!content::MediaStreamVideoSource::SetReadyState+0x3a [content/renderer/media/media_stream_video_source.cc @ 592]

MediaStreamSource::setReadyState@67 is calling observer->sourceChangedState(); It could eventually get to MediaStream::streamEnded(), so I'll assume the crash location is valid. streamEnded@298 does:

    if (m_executionContext->isContextDestroyed())
        return;

Most places that call isContextDestroyed() check for a valid ExecutionContext first as part of the check, so I'll update the code to do that.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f6a0f4b7f8abe662390f61e1d5133a0894bb6080

commit f6a0f4b7f8abe662390f61e1d5133a0894bb6080
Author: jrummell <jrummell@chromium.org>
Date: Thu Jan 05 06:09:31 2017

Check ExecutionContext before calling isContextDestroyed()

BUG= 677878 
TEST=mediastream layouttests pass

Review-Url: https://codereview.chromium.org/2610233002
Cr-Commit-Position: refs/heads/master@{#441595}

[modify] https://crrev.com/f6a0f4b7f8abe662390f61e1d5133a0894bb6080/third_party/WebKit/Source/modules/mediastream/MediaStream.cpp

ClusterFuzz has detected this issue as fixed in range 441510:441524.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4577816789385216

Fuzzer: inferno_twister_custom_bundle
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000045
Crash State:
  blink::MediaStream::streamEnded
  base::time_internal::SaturatedAdd
  blink::MediaStreamSource::setReadyState
  
Memory Tool: SYZYASAN

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=441050:441052
Fixed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=441510:441524

Minimized Testcase (5.21 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Wt2xWVyQTtybuusDPJqk4jt4Fdg5v_YkSPcLo8vDNrV3959R2SO2QdnLLCdgTiSn_SkHoD5C0Z5q2Cx_gd-0MUXl1Ludk_WDKgaPLv_z_nbRQMdakXzbYM4TNzOLL0uV826RLWcE87uD7MJbZTRVcBMCD7nfAjOWl0csCVn0x0uQce9x7RlSv-7vmBBTzEWJ3ip7aH3Dn9h-UFi_f3u8VqLPZjju22KBFjGQEMyYbOXosewGnrYuOMWPQMfcPOM62zIKVcHann_WQ2rs3SvyqqQQYjJFXZggUWIpMbsHYhUdGhNql1zm5p9jI_4ZjLvDKZ3JnNHMNqsVQj1Au3ovi7Tn4o-OdFcxhVNldGBZMGmjyerQ?testcase_id=4577816789385216

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4577816789385216 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.