Predator did not provide any possible suspects.
Assigning to the concern owner from CL --
https://chromium.googlesource.com/chromium/src/+log/1b960fc783d7f7e632af435a141d1952c452cab1..85888e0c9acd6cf6b04a21f78436b5e9b85f7251?pretty=fuller

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/8427660616e176502578ec0a82982b3ed3038864

@suzyh -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

This bug is a symptom of CSSAnimations appearing in Animation code. Animation should not be depending on CSSAnimations.
Animation::InvalidateKeyframeEffect() makes the incorrect assumption that the animation uses @keyframes for its effect model when it may instead be using JS provided keyframes.

The code is falling over on this DCHECK in Node::GetTreeScope
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/dom/Node.h?l=560&rcl=82e425e14a72daaa367c9761e486f6c2589f41c5

I don't understand this part of the code. I take it
"""
document.querySelector(".script-animation")
"""
does not have a tree scope?

That will return null, the Animation is being created without a target element.

Patch up at https://codereview.chromium.org/2961573002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e4424b5ca106bdb36ad962a9daadb86131576e98

commit e4424b5ca106bdb36ad962a9daadb86131576e98
Author: suzyh <suzyh@chromium.org>
Date: Tue Jun 27 07:06:22 2017

Fix nullptr deref in InvalidateKeyframeEffect

Animation::InvalidateKeyframeEffect assumed that if it had content then
it had a target element. After implementing the Animation constructor,
it was possible to have created an Animation object with a
KeyframeEffect with no target element. This patch checks whether the
target is nullptr before dereferencing.

BUG= 734721 

Review-Url: https://codereview.chromium.org/2961573002
Cr-Commit-Position: refs/heads/master@{#482558}

[add] https://crrev.com/e4424b5ca106bdb36ad962a9daadb86131576e98/third_party/WebKit/LayoutTests/animations/keyframeeffect-no-target-crash-expected.txt
[add] https://crrev.com/e4424b5ca106bdb36ad962a9daadb86131576e98/third_party/WebKit/LayoutTests/animations/keyframeeffect-no-target-crash.html
[modify] https://crrev.com/e4424b5ca106bdb36ad962a9daadb86131576e98/third_party/WebKit/Source/core/animation/Animation.cpp

ClusterFuzz has detected this issue as fixed in range 482554:482572.

Detailed report: https://clusterfuzz.com/testcase?key=4657668278190080

Fuzzer: inferno_twister_c
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::CSSAnimations::IsAffectedByKeyframesFromScope
  blink::Animation::InvalidateKeyframeEffect
  blink::AnimationTimeline::InvalidateKeyframeEffects
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=478152:478270
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=482554:482572

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4657668278190080


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4657668278190080 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.