Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: sunjian
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/36d0286404018e441692f66d1289f33ff33a05d1
Time: Fri Mar 17 20:11:49 2017
Lines 178 of file PerformanceNavigationTiming.cpp which potentially caused crash are changed in this cl (frame #1, "blink::PerformanceNavigationTiming::type").
Minimum distance from crash line to modified line: 0. (file: PerformanceNavigationTiming.cpp, crashed on: 176, modified: 176).

@sunjian -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Yes, i think it's because the DCHECK failed. I will send out a patch today
to fix it.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/47b93d128610246960c032a00b67ec2083b2a05b

commit 47b93d128610246960c032a00b67ec2083b2a05b
Author: sunjian <sunjian@chromium.org>
Date: Tue Mar 28 20:13:19 2017

Fix PerformanceNavigationTiming accessor behavior after document detach.

Currently, PerformanceNavigationTiming holds on to a LocalFrame directly.
A DocumentLoader will be extracted at runtime from this LocalFrame. During the
lifetime of a LocalFrame, multiple documents can get loaded and get attached
to the same frame, which causes old PNT instance to reference DocumentLoader
that could be created for new cross-origin document. Therefore, instead of
holding on to a LocalFrame, PNT should hold on to a Document instead.

The change in this patch also fixes the crash reported by clusterfuzz, which
is dereferencing a null pointer when PerformanceNavigationTiming::type gets called
after a Document gets replaced which causes its associated DocumentLoader to be null.

BUG= 704352 ,  703540 

Review-Url: https://codereview.chromium.org/2774543003
Cr-Commit-Position: refs/heads/master@{#460198}

[add] https://crrev.com/47b93d128610246960c032a00b67ec2083b2a05b/third_party/WebKit/LayoutTests/external/wpt/navigation-timing/nav2_test_document_replaced.html
[add] https://crrev.com/47b93d128610246960c032a00b67ec2083b2a05b/third_party/WebKit/LayoutTests/external/wpt/navigation-timing/nav2_test_frame_removed.html
[modify] https://crrev.com/47b93d128610246960c032a00b67ec2083b2a05b/third_party/WebKit/Source/core/timing/PerformanceNavigationTiming.cpp
[modify] https://crrev.com/47b93d128610246960c032a00b67ec2083b2a05b/third_party/WebKit/Source/core/timing/PerformanceNavigationTiming.h

ClusterFuzz has detected this issue as fixed in range 458746:463137.

Detailed report: https://clusterfuzz.com/testcase?key=5426596409507840

Fuzzer: lcamtuf_cross_fuzz
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x0000000006f0
Crash State:
  blink::PerformanceNavigationTiming::type
  blink::V8PerformanceNavigationTiming::typeAttributeGetterCallback
  v8::internal::FunctionCallbackArguments::Call
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=457847:457874
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96q0uQJCmibgqsOa6L104v1f5tNvi4z7zK39GlztJsthCfok7ayTSzVx9LF9VRP3gu3Nf7Q1e5f7dgi8SprDgfHkmRXyagW70R2ES79F2XcAtHhmKjIhjnUnbNKPhF4U6CcefuNNjqEWjKoloQTXiMBmAe0rBVUiRQUHsGpFACgfmWWLOgpeEkgnqEBkwf9wgZT5BdBMFcyzTwm3nHGpDmznZPKUOL__TS3Ey1y0WwXJvF5wiNvnDmz5U4CdFPRwrzIVwG7sFSA_rH0PYq9jRUdLjDBOybRlVpi5ptRYh0o6GRJnFv1TF4AZDreugiO3ust9w4XsGWGQ8KgKMlkcvt5kXzAdPS6G8t3SGFKnJZDve5d9oi8hP10BUS4UQvvOGUgt2bag9KxukFF3-rktoAvNQV_fg?testcase_id=5426596409507840


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5426596409507840 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.