Find it and CL did not provide any possible suspects.
Using Code Search for the file, "system_menu_model_builder.cc" assigning to the concern owner --

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/2e671cf88d579e7a2392dff0383f47dae2655ab5

@chaopengh -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

rtoy@, I found this issue comes from your commit f58de349230213827cd1e057d10b7a61411c328a by bisect. Also I can reproduce it in Linux. Please take a look.

I don't see how f58de349230213827cd1e057d10b7a61411c328a can be the cause of this issue; it just removes the prefix.

But maybe c44e4f0a2120f24a6701298868befa1b2adc1ce8 is related?

hongchan@, can you take a look?

To reproduce this on macOS, I downloaded the build 441524 from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html?prefix=mac-debug/.

The crash is only reproducible with the following options:
./Chromium.app/Contents/MacOS/Chromium --allow-file-access-from-files --use-gl=any --disable-gl-drawing-for-tests --js-flags="--expose-gc" --no-sandbox

Without WebGL switches, this does not crash. Also the console log suggests the leak in WebFrame.

---
ASAN:DEADLYSIGNAL
=================================================================
==5640==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000293a1c8d4 bp 0x7fff5b385690 sp 0x7fff5b3853c0 T0)
==5640==The signal is caused by a READ memory access.
==5640==Hint: address points to the zero page.
[5642:775:0109/142257.737104:ERROR:render_process_impl.cc(212)] WebFrame LEAKED 1 TIMES
---

I don't see any of this is related to the WebAudio. It seems to be crashing because the WebFrame does not provide a proper securityOrigin object.

 Issue 677673  has been merged into this issue.

I am taking a second look on this and I believe the repro code must fail:

<script>
var iframe = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
document.body.appendChild(iframe);
var frameWin = iframe.contentWindow;
new frameWin.AudioContext();
document.body.removeChild(iframe);
new frameWin.AudioContext(); // This must fail.
</script>

rtoy@

|frameWin| is detached from the document and it's not visible anymore. AudioContext should not be constructible from this orphan object. However, I cannot find any reference/spec for this behavior. What should we do?

guidou@ Can you take a look?

https://cs.chromium.org/chromium/src/content/renderer/renderer_blink_platform_impl.cc?q=GetAudioHardwareParams&sq=package:chromium&l=179

Git Blame says this method is written by you and I think we have to handle the case of 'web_frame' is invalid.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/44bfa4bd4fb0143a64d5748d68b17bbedee4caaa

commit 44bfa4bd4fb0143a64d5748d68b17bbedee4caaa
Author: guidou <guidou@chromium.org>
Date: Fri Jan 13 21:31:48 2017

Check that render-frame is valid before returning audio params in Blink.

Return reasonable parameters if the render_frame is not valid instead of
crashing.

BUG= 678927 

Review-Url: https://codereview.chromium.org/2626023006
Cr-Commit-Position: refs/heads/master@{#443676}

[add] https://crrev.com/44bfa4bd4fb0143a64d5748d68b17bbedee4caaa/content/renderer/blink_platform_audio_hardware_browsertest.cc
[modify] https://crrev.com/44bfa4bd4fb0143a64d5748d68b17bbedee4caaa/content/renderer/renderer_blink_platform_impl.cc
[modify] https://crrev.com/44bfa4bd4fb0143a64d5748d68b17bbedee4caaa/content/test/BUILD.gn

ClusterFuzz testcase 5023393540997120 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 443594:443650.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5744236961202176

Fuzzer: inferno_twister_custom_bundle
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::WebFrame::getSecurityOrigin
  content::GetAudioHardwareParams
  content::RendererBlinkPlatformImpl::audioHardwareSampleRate
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_no_sandbox&range=441510:441524
Fixed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_chrome_no_sandbox&range=443594:443650

Minimized Testcase (0.28 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95AWDBaVLnACdBmtT5fpe-7CPtnAfHnzfA5GJ3IpRHUitDE7OXHa6y6UyHvgonyvkxLzdBUsp1w_qkXdXnEpGfRez57PjpRkA3ijnEd_X6V5SRvpcv5blW1nkoECCUnZ6wz9P0frYCqfLEh2FiYncHyDJqzPmzgtgp-AbO-Vj5IUciJg6b1pK9-TUWeAzbRDJeKRAT1zdlup9bk0UCxYoP6vrCC9BLjgXOsV20HWzKTVkW8HD_msEh2MF-DDlEktFA9NcVGWS4rR5AM0kKXfJki4KV7sB70i6qadCS1heQFYlF2ySRrhHIcjrUQKjZsoTXNIL7B2IFgnoFuUmgFRWy1-XY7bAaAbjn4E-u_z4smUDxf8wfEKH4_bcCqi-vMhjHcWtkg8RmWobIoOkawLQKEIex7Vw?testcase_id=5744236961202176
><script>
var iframe = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
  document.body.appendChild(iframe);
  var frameWin = iframe.contentWindow;
  new frameWin.AudioContext();
  document.body.removeChild(iframe);
  new frameWin.AudioContext();
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.