Predator and CL did not provide any possible suspects.
Using Code Search for the file, "V8PerIsolateData.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/d9471b0d6e0108c3303e9214daf0564c11eba611

@adithyas -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

This appears to be caused when an Animation promise is being rejected inside a ScriptForbiddenScope, and a wrapper for the rejected value is created. 

This issue is similar to  http://crbug.com/679648  where ToV8 tries to call a constructor in a forbidden scope. I think calling a DOM object constructor is safe and doesn't execute any user script, so maybe adding an AllowUserAgentScript to V8DOMWrapper::createWrapper is a solution (which will fix it for all ToV8 calls)?

We don't have access to  issue 679648 . alancutter@ suggests that there was a similar thing previously where Animations code was doing the wrong thing, but we didn't fix it, and we're not sure how to fix it. So, I'm going to remove Blink>Animation and leave this in the hands of Blink>Bindings. Alan and I are cc'd so let us know if there's something you need from us.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/13c178302b8a4ce77dc493127b1a9eff97c4e7c2

commit 13c178302b8a4ce77dc493127b1a9eff97c4e7c2
Author: adithyas <adithyas@chromium.org>
Date: Tue May 09 18:48:04 2017

Post task when rejecting Animation promises inside ScriptForbiddenScope

It is possible for the ready promise to be rejected in a ScriptForbiddenScope. Rejecting a promise with a DOMException results in the constructor for DOMException being executed (due to a ToV8 call), which triggers a RELEASE_ASSERT that detects if script is being executed in a forbidden scope. This patch posts a task to reject promises when inside a forbidden scope to prevent the crash.

BUG= 701631 

Review-Url: https://codereview.chromium.org/2785303002
Cr-Commit-Position: refs/heads/master@{#470391}

[add] https://crrev.com/13c178302b8a4ce77dc493127b1a9eff97c4e7c2/third_party/WebKit/LayoutTests/web-animations-api/animation-ready-reject-script-forbidden.html
[modify] https://crrev.com/13c178302b8a4ce77dc493127b1a9eff97c4e7c2/third_party/WebKit/Source/core/animation/Animation.cpp
[modify] https://crrev.com/13c178302b8a4ce77dc493127b1a9eff97c4e7c2/third_party/WebKit/Source/core/animation/Animation.h

ClusterFuzz has detected this issue as fixed in range 470386:470440.

Detailed report: https://clusterfuzz.com/testcase?key=4749407842205696

Fuzzer: inferno_twister
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !ScriptForbiddenScope::isScriptForbidden() in V8PerIsolateData.cpp
  blink::beforeCallEnteredCallback
  v8::Function::NewInstance
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=443258:443393
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=470386:470440

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4749407842205696


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4749407842205696 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.