Through regression range, suspected CL is
https://chromium.googlesource.com/chromium/src/+/ec5133da581afeb7e71904f528df9ae4966ccfaf

In that range, ef3b9727c297214c9a7093cdf51f92200d78140c would be a more likely suspect.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c1d98a208cadc9b2ee92a82f641f026f1df9490d

commit c1d98a208cadc9b2ee92a82f641f026f1df9490d
Author: fs <fs@opera.com>
Date: Wed Apr 12 15:41:10 2017

Invalidate the "values cache" when resetting animated value state

When we revalidate the animated value, and the value 'source' is the
'values' attribute, we need to also reset the cached 'from' and 'to'
values kept in SVGAnimationElement. If not, a target change could clear
the animated from/to values and not notice that they are stale on
revalidation.
Companion to https://codereview.chromium.org/2763283002.

BUG= 710247 

Review-Url: https://codereview.chromium.org/2817643003
Cr-Commit-Position: refs/heads/master@{#464037}

[add] https://crrev.com/c1d98a208cadc9b2ee92a82f641f026f1df9490d/third_party/WebKit/LayoutTests/svg/animations/target-move-values-crash-expected.txt
[add] https://crrev.com/c1d98a208cadc9b2ee92a82f641f026f1df9490d/third_party/WebKit/LayoutTests/svg/animations/target-move-values-crash.html
[modify] https://crrev.com/c1d98a208cadc9b2ee92a82f641f026f1df9490d/third_party/WebKit/Source/core/svg/SVGAnimateElement.cpp
[modify] https://crrev.com/c1d98a208cadc9b2ee92a82f641f026f1df9490d/third_party/WebKit/Source/core/svg/SVGAnimationElement.cpp
[modify] https://crrev.com/c1d98a208cadc9b2ee92a82f641f026f1df9490d/third_party/WebKit/Source/core/svg/SVGAnimationElement.h

ClusterFuzz has detected this issue as fixed in range 464021:464058.

Detailed report: https://clusterfuzz.com/testcase?key=5198531943202816

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::SVGColorProperty::CalculateAnimatedValue
  blink::SVGAnimateElement::CalculateAnimatedValue
  blink::SVGAnimationElement::UpdateAnimation
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=456354:456375
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=464021:464058

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv9401qJySw3mEDyvYpU7tBbcC_qtXRI2N2NyMO4_dpKNioyVWwO74jzkcfb4fDz5zHI2NluPXsWbdCCX_ZkR1cQsNb5VUgQ9MN5ynzJa39ScGrVZvYsQN59IcSlB-F_5rOcZ7KvKP_kfjWcNvrn2Y5IhnpFKOZrXJHTTdQiYpRWxvjm4NjttYuNEYS6AM1nqWK7dhSWV25_02ZDY7pa8CY7WQir1VVHbCGpwmuUsAAcohFEyiP21TaLWoSmFQb-tsaN6D5HFWtumotZkcBqbt-2osupde3-uqY_-s99mlhJZmbFP1JNWOwYvFeQg55ULJqZ_cMk5EYKW-9UgnK4Ted2FQZ0ZUjiAAOtYr2qKQnCGoAU_NsBiO5ZFdvAVESIB0hpO8B5TLq6FPDek1pAJ37NoGjz7Tw?testcase_id=5198531943202816


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5198531943202816 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.