Example build:
https://ci.chromium.org/buildbot/chromium.clang/ToTLinuxUBSanVptr/1483

Symbolized output:

../../third_party/WebKit/Source/platform/scheduler/renderer/renderer_scheduler_impl.cc:736:7: runtime error: member call on address 0x3e6ea9d4a098 which does not point to an object of typ
e 'blink::scheduler::TraceableState<bool, &blink::scheduler::kTracingCategoryNameInfo>'
0x3e6ea9d4a098: note: object is of type 'blink::scheduler::TraceableVariable'
 00 00 00 00  98 89 6c 0c 00 00 00 00  38 98 d4 a9 6e 3e 00 00  00 00 00 00 00 00 00 00  6d fc 31 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'blink::scheduler::TraceableVariable'
    #0 0x308d731 in blink::scheduler::RendererSchedulerImpl::OnShutdownTaskQueue(scoped_refptr<blink::scheduler::MainThreadTaskQueue> const&) third_party/WebKit/Source/platform/scheduler/
renderer/renderer_scheduler_impl.cc:736:7
    #1 0x3075ed4 in blink::scheduler::MainThreadTaskQueue::DetachFromRendererScheduler() third_party/WebKit/Source/platform/scheduler/renderer/main_thread_task_queue.cc:136:24
    #2 0x30761cc in blink::scheduler::MainThreadTaskQueue::ShutdownTaskQueue() third_party/WebKit/Source/platform/scheduler/renderer/main_thread_task_queue.cc:142:3
    #3 0x3074bda in blink::scheduler::MainThreadSchedulerHelper::~MainThreadSchedulerHelper() third_party/WebKit/Source/platform/scheduler/renderer/main_thread_scheduler_helper.cc:31:24
    #4 0x3083b59 in blink::scheduler::RendererSchedulerImpl::~RendererSchedulerImpl() third_party/WebKit/Source/platform/scheduler/renderer/renderer_scheduler_impl.cc:330:1
    #5 0x30840fc in blink::scheduler::RendererSchedulerImpl::~RendererSchedulerImpl() third_party/WebKit/Source/platform/scheduler/renderer/renderer_scheduler_impl.cc:298:49
    #6 0x44f359c in operator() buildtools/third_party/libc++/trunk/include/memory:2286:5
    #7 0x44f359c in reset buildtools/third_party/libc++/trunk/include/memory:2599
    #8 0x44f359c in ~unique_ptr buildtools/third_party/libc++/trunk/include/memory:2553
    #9 0x44f359c in content::TestBlinkWebUnitTestSupport::~TestBlinkWebUnitTestSupport() content/test/test_blink_web_unit_test_support.cc:210
    #10 0x44eb3ea in ~TestEnvironment content/public/test/blink_test_environment.cc:50:23
    #11 0x44eb3ea in content::TearDownBlinkTestEnvironment() content/public/test/blink_test_environment.cc:93
    #12 0x1502392 in ~BlinkTestEnvironmentScope third_party/WebKit/Source/platform/heap/RunAllTests.cpp:41:34
    #13 0x1502392 in runHelper(base::TestSuite*) third_party/WebKit/Source/platform/heap/RunAllTests.cpp:52
    #14 0x3f40be3 in Run base/callback.h:94:12
    #15 0x3f40be3 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::RepeatingCallback<int ()> const&, unsigned long, int, bool, base::RepeatingCallback<void ()> const&) base/t
est/launcher/unit_test_launcher.cc:220
    #16 0x3f40a29 in base::LaunchUnitTests(int, char**, base::RepeatingCallback<int ()> const&) base/test/launcher/unit_test_launcher.cc:558:10
    #17 0x1502466 in main third_party/WebKit/Source/platform/heap/RunAllTests.cpp:56:10
    #18 0x7fa29ae462b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #19 0x1319029 in _start (/work/chromium/src/out/debug/blink_heap_unittests+0x1319029)


I think what happens is that MainThreadOnly's dtor has already run when we receive the OnShutdownTaskQueue callback, which in turn is coming because RendererSchedulerImpl's dtor is running.

Maybe this can be fixed be reordering the members of RendererSchedulerImpl so the MainThreadOnly dtor runs later.