Predator and CL did not found any possible suspects.
Using Code Search for the file, "PaintInvalidationCapableScrollableArea.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/49c67797cd9be6221b2d36bc35700c36dd00839d

@dcheng -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

It's not likely to be a rename issue. I'll take a look to see if I can repro.

Confirmed crashes in a non-asan ToT build.

Received signal 11 SEGV_MAPERR 000000000000
#0 0x7f6fc2b6a4a7 base::debug::StackTrace::StackTrace()
#1 0x7f6fc2b6a01f base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f6fc2890330 <unknown>
#3 0x7f6fb5c7bb2e blink::PaintInvalidator::MapLocalRectToVisualRectInBacking<>()
#4 0x7f6fb5c7b915 blink::PaintInvalidatorContext::MapLocalRectToVisualRectInBacking()
#5 0x7f6fb5c7b137 blink::PaintInvalidationCapableScrollableArea::InvalidatePaintOfScrollControlsIfNeeded()
#6 0x7f6fb5c5a19b blink::BoxPaintInvalidator::InvalidatePaintIfNeeded()
#7 0x7f6fb5c52a62 blink::BlockPaintInvalidator::InvalidatePaintIfNeeded()
#8 0x7f6fb5a954dd blink::LayoutBlock::InvalidatePaintIfNeeded()
#9 0x7f6fb5c7ccfb blink::PaintInvalidator::InvalidatePaintIfNeeded()
#10 0x7f6fb5ca3a2f blink::PrePaintTreeWalk::Walk()
#11 0x7f6fb5ca41ba blink::PrePaintTreeWalk::Walk()
#12 0x7f6fb5ca41ba blink::PrePaintTreeWalk::Walk()
#13 0x7f6fb5ca41ba blink::PrePaintTreeWalk::Walk()
#14 0x7f6fb5ca3738 blink::PrePaintTreeWalk::Walk()
#15 0x7f6fb5ca34d3 blink::PrePaintTreeWalk::Walk()
#16 0x7f6fb58462d0 blink::FrameView::PrePaint()
#17 0x7f6fb5845285 blink::FrameView::UpdateLifecyclePhasesInternal()
#18 0x7f6fb5c382ca blink::PageAnimator::UpdateAllLifecyclePhases()
#19 0x7f6fbd025bbc blink::WebViewImpl::UpdateAllLifecyclePhases()
#20 0x7f6fc0989aa7 content::RenderWidget::UpdateVisualState()
#21 0x7f6fbf48edb1 cc::ProxyMain::BeginMainFrame()

Hit a DCHECK in Debug, but had to reload several times.
[1:1:0419/170011.737796:FATAL:FindPaintOffsetAndVisualRectNeedingUpdate.h(73)] Check failed: !RuntimeEnabledFeatures::slimmingPaintInvalidationEnabled() || (context.tree_builder_context_ && context.tree_builder_context_->is_actually_needed). 
#0 0x7fc05f2192cb base::debug::StackTrace::StackTrace()
#1 0x7fc05f217fcc base::debug::StackTrace::StackTrace()
#2 0x7fc05f28adff logging::LogMessage::~LogMessage()
#3 0x7fc04502a956 blink::FindVisualRectNeedingUpdateScopeBase::FindVisualRectNeedingUpdateScopeBase()
#4 0x7fc04502a336 blink::FindVisualRectNeedingUpdateScope::FindVisualRectNeedingUpdateScope()
#5 0x7fc045b5f6a2 blink::ObjectPaintInvalidatorWithContext::InvalidateSelectionIfNeeded()
#6 0x7fc045b5fa51 blink::ObjectPaintInvalidatorWithContext::InvalidatePaintIfNeededWithComputedReason()
#7 0x7fc045b2b96e blink::BoxPaintInvalidator::InvalidatePaintIfNeeded()
#8 0x7fc045b1763f blink::BlockPaintInvalidator::InvalidatePaintIfNeeded()
#9 0x7fc04576aecd blink::LayoutBlock::InvalidatePaintIfNeeded()
#10 0x7fc045b6c032 blink::PaintInvalidator::InvalidatePaintIfNeeded()
#11 0x7fc045bca16c blink::PrePaintTreeWalk::Walk()
#12 0x7fc045bca23b blink::PrePaintTreeWalk::Walk()
#13 0x7fc045bca23b blink::PrePaintTreeWalk::Walk()
#14 0x7fc045bca23b blink::PrePaintTreeWalk::Walk()
#15 0x7fc045bc9f71 blink::PrePaintTreeWalk::Walk()
#16 0x7fc045bc9dec blink::PrePaintTreeWalk::Walk()
#17 0x7fc04521fbb6 blink::FrameView::PrePaint()
#18 0x7fc04521e52a blink::FrameView::UpdateLifecyclePhasesInternal()
#19 0x7fc04521dc72 blink::FrameView::UpdateAllLifecyclePhases()
#20 0x7fc045ad96bb blink::PageAnimator::UpdateAllLifecyclePhases()
#21 0x7fc04e8321e5 blink::PageWidgetDelegate::UpdateAllLifecyclePhases()
#22 0x7fc04e93e0f4 blink::WebViewImpl::UpdateAllLifecyclePhases()
#23 0x7fc04e934981 blink::WebViewFrameWidget::UpdateAllLifecyclePhases()
#24 0x7fc059b6b53b content::RenderWidget::UpdateVisualState()
#25 0x7fc05999b09a content::RenderWidgetCompositor::UpdateLayerTreeHost()
#26 0x7fc0555664ed cc::LayerTreeHost::RequestMainFrameUpdate()
#27 0x7fc05563907c cc::ProxyMain::BeginMainFrame()

pdr@, related to your crash bug fixes?

I will take a look.

ClusterFuzz has detected this issue as fixed in range 465403:465427.

Detailed report: https://clusterfuzz.com/testcase?key=6072549936201728

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::PaintInvalidator::MapLocalRectToVisualRectInBacking<class blink::LayoutRe
  blink::PaintInvalidatorContext::MapLocalRectToVisualRectInBacking
  blink::ScrollControlVisualRect
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=464127:464479
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=465403:465427

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv969VmVaz6Pe6HEeffcHE5s0xeiIdPtSDLa-68nGpsO1e_UDeFRaO82cvJlmOw0BETqKQdwyE6P-OEsoXaWHbm4x13U2995jRDnSywmh4Hlw1wNioAI-YG9KWG8PFwOT74JX1iB7BXXwLDVmsGGSzeje3qElzUwqo8tza06KIbjNKxUcAmaGB-RRrDOfEAqlQ2TgIXYixac4xNrOahaXFtgJyZV0TZ_5wxYt-iKMUU0fpObcfbApFfyFVq4exc7Ed0Dfa_zkVgZTLR-mnUpBDNbHum_3AdUVhAEi9pMIcODWzfV1K7Q6_pMSzzgSjw29cM-8jjZPMpcO8dkqCOaXnjsvdBJ3Xt6_Ks1jSFpmafaxhUDSeBM?testcase_id=6072549936201728


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.