Findit did not find any culprit results,

assigning to /src/third_party/WebKit/Source/core/OWNERS, requesting to check the issue and help.

There's a bunch of assertion failures before the crash. Attaching a minimal test case (which also runs into a few assertion failures before it crashes).

Deleted: tc.html 339 bytes

tc.html 339 bytes View Download

 Issue 691411  has been merged into this issue.

Caused by https://codereview.chromium.org/2685113002 "Cleanup SVGElement::layoutObjectIsNeeded."

ClusterFuzz has detected this issue as fixed in range 449941:449972.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6330276168073216

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000ac
Crash State:
  blink::LayoutMultiColumnSet::newFragmentainerGroupsAllowed
  blink::LayoutMultiColumnFlowThread::appendNewFragmentainerGroupIfNeeded
  blink::LayoutMultiColumnFlowThread::layoutColumns
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=449604:449634
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=449941:449972

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95a6v9BnLZeaMDqn-OkwTVF6jPAUCdNNARzf3cGqDXgcBGK85z_nFA8gcXfPUcGT1JPZOju83ETCqvtFiPk-yZLky2s_laBgUateKZtv3fDW3FbP4hDlz8g7l3xIvOZlEuW4huDJ-hGESYsKxVFUaDY8jivRkyYr3aLWUMhftsf4S-0X8WMzDdengcKpFL9ITe1DP07AfuGqpeysmQ8W6h5596celJM2BWrr8VNeKnLF8UHb-IcLFGJMGjc-FC_XmbJKas4Fjp-LyM-KyDlt6EjEqMyJpOa9e9VGGDyA9XmYP4-dTYNP8EFNYBauvTWpCpVBj6K88jdoznwkbN9sxsLpKtAD0GPck5ID2uX4qtVtL20WXAHuSItQg8m8RN2DRREhdwnHwxjhQMsY3q2YgWl5ZgtMA?testcase_id=6330276168073216


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.