Blame result seems wrong. I've requested a new blame run.

Leaving Untriaged until we get more info,

The (innermost) crashstack here is very similar to that of  issue 686915  - i.e it's a flush of "pending" Web Animations. It's very likely that the fix is the same in both cases.

 Issue 686915  has been merged into this issue.

 Issue 690126  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/49bd1e63cb077e88db6d89f5a3db801dec55e743

commit 49bd1e63cb077e88db6d89f5a3db801dec55e743
Author: fs <fs@opera.com>
Date: Wed Feb 15 14:24:38 2017

Don't clear 'web animations dirty' flag if we have no rare data

If an SVGElement has an instantiated ElementAnimations object and
animation time has progressed, but no actual animation has been applied
(and hence no SVGElementRareData has been created), we don't need to
clear the dirty bit in the rare data.
The initial trigger for this seems to be the Element.computedName
implementation for a detached node, which tries to compute style in
this case, triggering a DCHECK in Node::containingTreeScope when doing
so.

BUG= 686424 

Review-Url: https://codereview.chromium.org/2689713003
Cr-Commit-Position: refs/heads/master@{#450689}

[add] https://crrev.com/49bd1e63cb077e88db6d89f5a3db801dec55e743/third_party/WebKit/LayoutTests/svg/animations/animval-web-animations-flush-crash.html
[modify] https://crrev.com/49bd1e63cb077e88db6d89f5a3db801dec55e743/third_party/WebKit/Source/core/svg/SVGElement.cpp
[modify] https://crrev.com/49bd1e63cb077e88db6d89f5a3db801dec55e743/third_party/WebKit/Source/modules/accessibility/AXObject.cpp

ClusterFuzz has detected this issue as fixed in range 450686:450691.

Detailed report: https://clusterfuzz.com/testcase?key=4634710421798912

Fuzzer: inferno_twister
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000003c
Crash State:
  blink::SVGElement::applyActiveWebAnimations
  blink::SVGLengthTearOff::hasExposedLengthUnit
  blink::SVGLengthTearOff::unitType
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=446719:446721
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=450686:450691

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv965Yyi8o3UEYyLdPTNCuiNFt_VYvswz4Umuku8dR0JIcELlELuNgCentcK0fK-LKHn2WBTndLpzA2GCT55rNs8ajm4Ggo1pEZa7XqgZzsh51zVgAtDUIDrSbnz6uXletyOI4KoSYG2JmYwI72ZLqG5DoPb8IHs_LWxIrRIxK_O8H1NO4U_n0syuT_cdyUIQJRP6JrPsyX9BZdjNy2OBP490dDSldXFqY57RdVHjGHu9brK3ypx67v3BsxkKPyeoGGwyWIHHm-VAXa1bNurtMHEvFJQ9KpN52CwmOhD35aWdYV-s5BVM1SlSIweAufbJc9HwQhBV3z2D2FJwfjTRKzDvPirTxEFpRLbrpQ341a90QL8StKs?testcase_id=4634710421798912


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.