Predator could not provide any possible suspects.
Assigning to the concern owner from CL --
https://chromium.googlesource.com/chromium/src/+log/8c577b8ef4675ae2438197941561a4c401a61283..bc726f37fe751557cef271e6a3276aea27f8344a?pretty=fuller&n=10000

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/6e8ee4652a28c58f0f9f6e8bc9f336eca6207056

@japhet -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

 Issue 762767  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e

commit bd98f9c5a1f76edf6fc7b8cbe129837727475c3e
Author: Nate Chapin <japhet@chromium.org>
Date: Fri Sep 08 00:43:20 2017

Fix crashes in TaskRunnerHelper

Null-check document->ContextDocument()->GetFrame() when looking up a task runner
based on a Document*.

PlatformEventController should be resilient to being initialized based on a
detached Document*.

Bug:  762768 , 762769 ,763040
Test: fast/media/media-element-move-to-new-document.html,gamepad/gamepad-on-detached-navigator.html
Change-Id: I84a1b5876d2483b4dfdc6238df376278ba8b2b72
Reviewed-on: https://chromium-review.googlesource.com/655917
Reviewed-by: Alexander Timin <altimin@chromium.org>
Commit-Queue: Nate Chapin <japhet@chromium.org>
Cr-Commit-Position: refs/heads/master@{#500456}
[add] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/LayoutTests/fast/media/media-element-move-to-new-document-crash-expected.txt
[add] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/LayoutTests/fast/media/media-element-move-to-new-document-crash.html
[add] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/LayoutTests/gamepad/gamepad-on-detached-navigator-expected.txt
[add] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/LayoutTests/gamepad/gamepad-on-detached-navigator.html
[modify] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/Source/core/dom/TaskRunnerHelper.cpp
[modify] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/Source/core/frame/PlatformEventController.cpp
[modify] https://crrev.com/bd98f9c5a1f76edf6fc7b8cbe129837727475c3e/third_party/WebKit/Source/core/frame/PlatformEventController.h

ClusterFuzz has detected this issue as fixed in range 500415:500457.

Detailed report: https://clusterfuzz.com/testcase?key=5492586990272512

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000148
Crash State:
  blink::Document::ContextDocument
  blink::TaskRunnerHelper::Get
  blink::PlatformEventController::PlatformEventController
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=499964:499992
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=500415:500457

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5492586990272512

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5492586990272512 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.