Through code search on file "/ third_party / WebKit / Source / wtf / Vector.h"
Suspected CL
https://chromium.googlesource.com/chromium/src/+/4da5a6bc55b8e3909b98f3e0f23d7c5d0cb9ecb8
There is a similar  issue 688306  and  687941  issues reported. please duplicate this issue if it is same as any of those bugs.
Thank you

Dupe of  issue 688306 ?

Most likely, a transform operation taking (or having) no arguments?

My suspicion currently is a transform with a broken argument. I've not been able to repro with the test from  issue 688306  (yet, cross_fuzz taking it's time? I don't know...), but I've developed a possible way it could trigger I think...

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d3173fb3e213e658abf34667f130b55b6baac395

commit d3173fb3e213e658abf34667f130b55b6baac395
Author: fs <fs@opera.com>
Date: Wed Feb 08 14:54:59 2017

SVGTransformList.consolidate() should return null on an empty list

SVGTransformList.consolidate() returns an SVGTransform with type
"unknown", which is an invalid object that other parts of the code
couldn't cope with. The specification:

 https://svgwg.org/svg2-draft/coords.html#__svg__SVGTransformList__consolidate

say that 'null' should be returned in this case though, so do that
instead.

Rewrite svg/dom/SVGTransformList-empty-list-consolidation.html to use
actually assert this part of the contract, and also convert it use
testharness.js while at it.

BUG= 688306 ,  688303 

Review-Url: https://codereview.chromium.org/2681803004
Cr-Commit-Position: refs/heads/master@{#448994}

[delete] https://crrev.com/e398e7fd334c08a2cfb805b25b0792fb15e674d3/third_party/WebKit/LayoutTests/svg/dom/SVGTransformList-empty-list-consolidation-expected.txt
[modify] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/LayoutTests/svg/dom/SVGTransformList-empty-list-consolidation.html
[add] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/LayoutTests/svg/dom/svgtransformlist-empty-consolidate-and-initialize-crash-expected.txt
[add] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/LayoutTests/svg/dom/svgtransformlist-empty-consolidate-and-initialize-crash.html
[modify] https://crrev.com/d3173fb3e213e658abf34667f130b55b6baac395/third_party/WebKit/Source/core/svg/SVGTransformList.cpp

ClusterFuzz has detected this issue as fixed in range 448971:449002.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4654741847277568

Fuzzer: lcamtuf_cross_fuzz
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  i < size() in Vector.h
  blink::TransformBuilder::createTransformOperations
  blink::StyleBuilderConverter::convertTransformOperations
  
Sanitizer: undefined (UBSAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=445525:445725
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_chrome&range=448971:449002

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95bmnIWC2lrz5OtkjCqwhrRmLo7ohyhTobO047-0pIT8YFaYdq9sapbZBsIC0FC6Oy5H9H5kecuIq1HxLXBMV7AguU--cfmgksdE3YCRnHsRZCuFnICVgG1Hlbp2jN5ACPV-0l5j461elgGSqAwb6EJ9cXw3TdtrQCF2Fm3y7gRylIeR-mQRGv-aetqUHr92B9ShE7R5k89rTFtdbnr2DxI3ov-HkgF0xVVBHxD4di9aJo7NrXEXgV4QLIr8XtED_mODBTSlQEDMXOx74uliXtOMnK2ItuTE1CAjqrx7HczpS52AO7d4gx-0fuETvuOqlDDR5-wRrSVWSRM9cm7oJhQOU4O9W4-ddGe38b78VvuNg0fsFJrx1aEkc3Fz6xRAQL_-OuT-4KG4mF8zWH3tX-w3Wp9FQ?testcase_id=4654741847277568


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 688306  has been merged into this issue.