kotenkov@, could you please look into this? Please mark it as 'Duplicate' if it is same as https://bugs.chromium.org/p/chromium/issues/detail?id=606515

Thank you!

Route to Editing triage

 Issue 594287  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 389884:390111.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5539788093915136

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  pos.anchorNode()->layoutObject(). #text "\n"@afterAnchor in CompositeEditCommand
  blink::CompositeEditCommand::insertBlockPlaceholder
  blink::FormatBlockCommand::formatRange
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=389884:390111

Minimized Testcase (0.25 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96fLTv7OxHSGqI2qzey7Tu5LyR-jyuhZj2GqglhhroXb6EnIfkMVFzCLk92Hpq8Mv0gPp9lzxKSPn_7doAlaPTAvMvQ_CbVk5xf7VFXBvTIoO1EcC_IurOoBvOZ-_0OLKvgDStADk39FXhhE53dQc7baJpimg?testcase_id=5539788093915136
<script>
onload = function() {
    document.designMode = 'on';
    document.execCommand('SelectAll');
    document.execCommand('FormatBlock', false, '<pre>');
};
  </script>
 ">
  ab
<style>
   div {
        height: 100px;
</style>
  <div>
  </div>
  <div>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot