As per the  Issue 747187  owner assigning this issue to @keishi.
@keishi -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.
Thanks.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6507111961067520.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Lower to Pri-3 since this is caused by unusual HTML.

ClusterFuzz has detected this issue as fixed in range 551565:551568.

Detailed report: https://clusterfuzz.com/testcase?key=6112800887013376

Fuzzer: ifratric-browserfuzzer-v3
Job Type: linux_ubsan_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= MaxElementCountInBackingStore<T>() in HeapAllocator.h
  blink::HeapAllocator::QuantizedSize<>
  blink::UndoStep::Append
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=464875:464913
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_chrome&range=551565:551568

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6112800887013376

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6112800887013376 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.