This issue looks similar to   bug 846495  , hence assigning to the same dev for more updates.

kochi@ Could you please take a look in to this issue?

Thanks!

The bisect found my CL
https://chromium.googlesource.com/chromium/src/+log/b0e4b4840bff841de8ae65d01e1b3b1482da8c77..bb4692c0babd2fdd7f54e6f4f876a6e060d9bb8a
is the starting point, but the CL is converting existing element's UA
shadow from V0 to V1, and this CL is not UA-shadow specific.

This is not a recent regression, removing M-68 tag.

ClusterFuzz has detected this issue as fixed in range 567635:567636.

Detailed report: https://clusterfuzz.com/testcase?key=5422844939599872

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffcea674fd8
Crash State:
  blink::Element::UpdateCallbackSelectors
  blink::Element::RemoveCallbackSelectors
  blink::Element::DetachLayoutTree
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=567635:567636

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5422844939599872

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.