Unable to find the culprit from CL, Code Search and Find it.
Providing the Find it results,
Suspected CLs	No CL in the regression range changes the crashed files. The result is the blame information.

Author: wibling@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/a4c3a7dd738ac5789cbdbf82b6c63627154ec46a
Time: Thu Apr 03 13:08:44 2014
The CL last changed line 776 of file Handle.h, which is stack frame 0.

Author: morrita@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/b57ba7fbed657ef1db910b324ad76baaa0072c81
Time: Thu Dec 12 03:58:25 2013
The CL last changed line 473 of file Node.h, which is stack frame 1.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/c3d074c5e481efa3db5524ad68de2d1d2da84e80
Time: Mon Apr 13 01:24:17 2015
The CL last changed line 110 of file TextIterator.cpp, which is stack frame 2.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/c3d074c5e481efa3db5524ad68de2d1d2da84e80
Time: Mon Apr 13 01:24:17 2015
The CL last changed line 171 of file TextIterator.cpp, which is stack frame 3.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/677464bebdf9792b092676f088f60daf0abadd58
Time: Wed Aug 05 06:24:12 2015
The CL last changed line 156 of file TextIterator.cpp, which is stack frame 4.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4bcb76d1b050f0921cd852d96b2c61addc1ca67d
Time: Tue Jul 14 06:36:07 2015
The CL last changed line 1147 of file TextIterator.cpp, which is stack frame 5.

Author: yosin@chromium.org
Component: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/4bcb76d1b050f0921cd852d96b2c61addc1ca67d
Time: Tue Jul 14 06:36:07 2015
The CL last changed line 1169 of file TextIterator.cpp, which is stack frame 6.

Suspected Component: chromium-blink
Suspected Cr- Label: Cr-Blink-Editing

Assigning to a concern Dev who previously worked on the similar issues.
@yosin -- Could you please look into the issue, pardon me if it has nothing to do with your changes and if possible please assign it to the concern Dev.
Thank You.

DOM tree at assertion

selection.showTreeForThis()
BODY	000002F638C033A8
	TABLE	000002F638C03410 CLASS="CLASS9 CLASS7"
		#text	000002F638C034F8 "\n"
		CAPTION	000002F638C03490
			#text	000002F638C03548 "\n"
			RUBY	000002F638C03598
				#text	000002F638C03600 "\n"
				RB	000002F638C03650
					#text	000002F638C036B8 "\n"
				RTC	000002F638C03708
					#text	000002F638C03770 "\n"
					RT	000002F638C037C0
						#text	000002F638C03828 "\n"
						SUB	000002F638C03878
							#text	000002F638C038E0 "\n"
							TEXTAREA	000002F638C03930
								#shadow-root	000002F638C03A18
									DIV	000002F638C03AF0 ID="inner-editor" (editable)
							#text	000002F638C03B58 "\n"
							INPUT	000002F638C03BA8
								#shadow-root	000002F638C03CB8
									DIV	000002F638C03D90 ID="inner-editor" (editable)
							#text	000002F638C03DF8 "\n"
							SELECT	000002F638C03E48
								#shadow-root	000002F638C03FA8
									CONTENT	000002F638C04080
								#text	000002F638C04138 "\n"
								OPTGROUP	000002F638C04188 CLASS="CLASS8"
									#shadow-root	000002F638C041F8
										DIV	000002F638C042D0 ID="optgroup-label" STYLE="padding: 0px 2px 1px; min-height: 1.2em;"
										CONTENT	000002F638C04338
									#text	000002F638C043F0 "\n"
								OPTGROUP	000002F638C04440 CLASS="CLASS9"
									#shadow-root	000002F638C044B0
										DIV	000002F638C04588 ID="optgroup-label" STYLE="padding: 0px 2px 1px; min-height: 1.2em;"
										CONTENT	000002F638C045F0
									#text	000002F638C046A8 "\n"
									OPTION	000002F638C046F8
										#shadow-root	000002F638C04770
										#text	000002F638C04848 "\n"
							#text	000002F638C04898 "\n"
							svg	000002F638C048E8
								#text	000002F638C04A40 "\n"
								view	000002F638C04A90
									#text	000002F638C04B78 "\n"
								#text	000002F638C04BC8 "\n"
								animateColor	000002F638C04C18
									#text	000002F638C04CC8 "\n"
								#text	000002F638C04D18 "\n"
								foreignObject	000002F638C04D68
									#text	000002F638C04E68 "\n"
									OBJECT	000002F638C04EB8
										#shadow-root	000002F638C05028
											CONTENT	000002F638C05100
										#text	000002F638C051B8 "\n"
										SELECT	000002F638C05208
											#shadow-root	000002F638C05368
												CONTENT	000002F638C05440
											#text	000002F638C054F8 "\n"
										#text	000002F638C05548 "\n"
										BUTTONNL"	000002F638C05598
											#text	000002F638C05600 "\n"
											IMG	000002F638C05650
											#text	000002F638C05710 "\n"
											FOREIGNOBJECT	000002F638C05760
												#text	000002F638C057C8 "\n"
												FORM	000002F638C05818 CLASS="CLASS1"
													#text	000002F638C058E8 "\n"
													H6	000002F638C05938
														#text	000002F638C059A0 "\n"
														svg	000002F638C059F0
															#text	000002F638C05B48 "\n"
															ins	000002F638C05B98
																#text	000002F638C05C48 "\n"
														DIV	000002F638C05C98
														SMALL	000002F638C05D58 (editable)
SE															#text	000002F638C05DC0 "7JJJJ********Q:%""FX?OWWWWWWWWWi"
															INPUT	000002F638C05E10 (editable)
																#shadow-root	000002F638C05F20
																	DIV	000002F638C05FF8 ID="inner-editor" (editable)
															#text	000002F638C06060 "$$$_^uuuu--hh>P_"
															PPPPPPPPPPPPPPP<	000002F638C060B0 (editable)
														SELECT	000002F638C06118 (editable) (focused)
															#shadow-root	000002F638C06278
																CONTENT	000002F638C06350
															#text	000002F638C06408 "nG^^^[cccccccccccc=\\!eemmmmmm|w1{{{{{{{{{{{{{{Zt;@@Cs----;%%2@**kY''''''^))))))))2l:```:OOOOOOOO"
<void>

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3325b1d139dd5ce8101ed992c3038b5ddcca5513

commit 3325b1d139dd5ce8101ed992c3038b5ddcca5513
Author: yosin <yosin@chromium.org>
Date: Wed Apr 06 02:06:02 2016

Introduce DCHECK() in expandToParagraphBoundary()

This patch introduces |DCHECK()| in |expandToParagraphBoundary()| to detect
where we do wrong for ease of finding root cause.

BUG= 600378 
TEST=n/a; no behavior changes

Review URL: https://codereview.chromium.org/1860883002

Cr-Commit-Position: refs/heads/master@{#385368}

[modify] https://crrev.com/3325b1d139dd5ce8101ed992c3038b5ddcca5513/third_party/WebKit/Source/core/editing/spellcheck/TextCheckingHelper.cpp

ClusterFuzz has detected this issue as fixed in range 413791:414128.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4936852359872512

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000010
Crash State:
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::in
  blink::TextIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >::Te
  blink::plainText
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=371187:371278
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=413791:414128

Minimized Testcase (1.44 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Zrgc3DljHRq-JferUeul2ujsSbtyC5eoZ_uMDC-5uq49YPEIiA28XpkZR13mObzi-KhpYEy48m2r8w9UHGKsAjI3_eWAGyv5HJyGUQdC6MzLS2YPS0T_YLFO1HzmdlgUmk6XRoYLOsHEOPxefAt5GonlXnQ?testcase_id=4936852359872512

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot