Through code search on file SVGAnimateElement.cpp, suspected CL
https://chromium.googlesource.com/chromium/src/+/d7d7475a474a473efc0b9578305e663653df052f

FWIW, ef3b9727c297214c9a7093cdf51f92200d78140c is probably what triggered this (by sending more notifications for the target mutations.) I suspect something similar could've triggered before though, because it seems related to how the animation value is reset (when the interval isn't.)

Issue 702575 has been merged into this issue.

Issue 702563 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c2aeb3453198b951cf00a6883783461d2752f29e

commit c2aeb3453198b951cf00a6883783461d2752f29e
Author: fs <fs@opera.com>
Date: Sat Mar 18 17:00:20 2017

Rework SMIL animation target invalidation

The invalidation of a timed/animation element's target "tuple" (element,
attribute name, attribute type) is somewhat complex.
Rework it to use two methods that can be overridden rather than having
overrides for each setTargetElement/setAttribute{Name,Type}. This allows
to get rid of complicated things like the checkInvalidCSSAttributeType()
in SVGAnimateElement. It should also make the code slightly easier to
reason about when it comes to what state gets invalidated where.

BUG=641437, 701128 

Review-Url: https://codereview.chromium.org/2746013007
Cr-Commit-Position: refs/heads/master@{#457972}

[modify] https://crrev.com/c2aeb3453198b951cf00a6883783461d2752f29e/third_party/WebKit/Source/core/svg/SVGAnimateElement.cpp
[modify] https://crrev.com/c2aeb3453198b951cf00a6883783461d2752f29e/third_party/WebKit/Source/core/svg/SVGAnimateElement.h
[modify] https://crrev.com/c2aeb3453198b951cf00a6883783461d2752f29e/third_party/WebKit/Source/core/svg/animation/SVGSMILElement.cpp
[modify] https://crrev.com/c2aeb3453198b951cf00a6883783461d2752f29e/third_party/WebKit/Source/core/svg/animation/SVGSMILElement.h

Fix landed in f70d58032706670f094ed7ae73c2bb13259fc0b6 (459150). bugdroid doesn't appear to have picked that up yet.

Clusterfuzz does not appear to have been making progress on this report for a while (still at 458746, where it's been for a while now...) Resolving.

ClusterFuzz has detected this issue as fixed in range 458746:463137.

Detailed report: https://clusterfuzz.com/testcase?key=4540281858031616

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::SVGLength::calculateAnimatedValue
  blink::SVGAnimateElement::calculateAnimatedValue
  blink::SVGAnimationElement::updateAnimation
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=456354:456375
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95GSmqFJH1Trg6AT08RXUOnVhPk3lRs0zsmprnz4trwWeuXdZsbb9Q0dkBW340aftAF5ooDADDKf8aX_7Xif7N2rNXLpxmFXhfT2EWSbn1tfG5eMWGuwDK2y0CfAiHCrq-VNgicNNb9_0jqh-q9HhUyugDA3SVriamS_TK7fxybkykfm4X9aD0FxvhFaP6U3mYm4N-SKt3Fr5-w-nwwAdgGZiReDw5CtS63b5Fjmr0jzOA91l-IiWdUt3oSKm3eIUZGK1iA7JyUGVBsSBPVVhG_u18UOybfNSUlOEh0R7hnIexMTZE56Cethp81nfbhfLS5MGxnev4UEDaAqUVd0oIP5ud8GwsZEgMahVJEWEv9rWY8HWHzFnKKGgbHttuxeDQ0wKq4rRUZ3iX0zqYgMABT_UPqvg?testcase_id=4540281858031616


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 712317  has been merged into this issue.