From findit tool:

Author: yosin@chromium.org
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/1b68bd79caca2d25ae2a906185325e106d6ee3fa
Time: Thu Sep 10 12:56:08 2015
The CL last changed line 1011 of file VisibleUnits.cpp, which is stack frame 6.

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

DCHECK: Check failed: layoutObject. CONTENT id="details-summary"@0

DOM tree at crash:

position.showTreeForThis()
BODY	0000025771D830A0 (editable)
	#text	0000025771D83108 "\n"
	SCRIPT	0000025771D83158 (editable)
		#text	0000025771D831D0 " \nvar test0=document.body.appendChild(document.createElement("legend"))\nvar test1=document.body.appendChild(document.createElement("details"))\nvar test7=document.body.appendChild(document.createElement("textarea"))\ntest1.style['d\\isplay']='inline';\ntest0.style.setProperty('all','initial');\ntest0.appendChild(document.createTextNode([15366]))\ndocument.execCommand("selectall");\ndocument.designMode = "on"\n"
	LEGEND	0000025771D83220 STYLE="all: initial;"
		#text	0000025771D83A68 "15366"
	DETAILS	0000025771D83288 STYLE="display: inline;" (editable)
		#shadow-root	0000025771D832F8
*			CONTENT	0000025771D83670 ID="details-summary"
				SUMMARY	0000025771D833C8 (editable)
					#shadow-root	0000025771D83430
						DIV	0000025771D83500 ID="details-marker"
						CONTENT	0000025771D83568
					#text	0000025771D83620 "Details"
			DIV	0000025771D83728 ID="details-content" STYLE="display: none;"
				CONTENT	0000025771D83790
	TEXTAREA	0000025771D83848 (editable)
		#shadow-root	0000025771D83930
			DIV	0000025771D83A00 ID="inner-editor" (editable)


Flat Tree at crash:
c.m_position.showTreeForThisInFlatTree()
BODY	0000025771D830A0 (editable)
	#text	0000025771D83108 "\n"
	SCRIPT	0000025771D83158 (editable)
		#text	0000025771D831D0 " \nvar test0=document.body.appendChild(document.createElement("legend"))\nvar test1=document.body.appendChild(document.createElement("details"))\nvar test7=document.body.appendChild(document.createElement("textarea"))\ntest1.style['d\\isplay']='inline';\ntest0.style.setProperty('all','initial');\ntest0.appendChild(document.createTextNode([15366]))\ndocument.execCommand("selectall");\ndocument.designMode = "on"\n"
	LEGEND	0000025771D83220 STYLE="all: initial;"
		#text	0000025771D83A68 "15366"
*	DETAILS	0000025771D83288 STYLE="display: inline;" (editable)
*		SUMMARY	0000025771D833C8 (editable)
*			DIV	0000025771D83500 ID="details-marker"
*			#text	0000025771D83620 "Details"
*		DIV	0000025771D83728 ID="details-content" STYLE="display: none;"
	TEXTAREA	0000025771D83848 (editable)
		DIV	0000025771D83A00 ID="inner-editor" (editable)

In review: crrev.com/2059663002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce

commit 874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce
Author: yosin <yosin@chromium.org>
Date: Fri Jun 10 10:38:44 2016

Make flat tree version RenderedPosition constructor to work on flat tree

This patch makes flat tree version of |RenderedPosition| constructor to work
on flat tree rather than DOM tree to calculate inline box position for
flat tree position correctly.

Before this patch, flat tree version of |RenderedPosition| constructor uses
|toPositionInDOMTree()|, but id doesn't work well for children of shadow
root and insertion point, e.g. CONENT elements and SLOT elements.

In attached layout test, |RenderedPosition| constructor attempts to compute
for CONTENT element in DETAIL element.

BUG= 616070 ,  618421 
TEST=LayoutTests/editing/selection/select_all/select_all_details_crash.html

Review-Url: https://codereview.chromium.org/2059663002
Cr-Commit-Position: refs/heads/master@{#399150}

[add] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/LayoutTests/editing/selection/select_all/select_all_details_crash.html
[modify] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/Source/core/editing/RenderedPosition.cpp

ClusterFuzz has detected this issue as fixed in range 399141:399152.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6136552845737984

Fuzzer: attekett_dom_fuzzer
Job Type: linux_asan_chrome_chromeos
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000038
Crash State:
  blink::InlineBoxPosition blink::computeInlineBoxPositionTemplate<blink::EditingA
  blink::RenderedPosition::RenderedPosition
  blink::RenderedPosition::RenderedPosition
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=380105:380830
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_chromeos&range=399141:399152

Minimized Testcase (0.42 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94JiTQOu1_z-FP-JYyyN7mRWfxrExlLzDsDqSZpj3QnYahYdyxxZqeRfSgGqt21glgPrk19QkKcgRePtYLJM19Tv43ztsNEk-Rz7dM6DUCSrHhQ-HR7Nz4E34DJgDFb_E1FwyN_iW6QP43w9eG9nLSTDs5e8g
<body>
<script> 
var test0=document.body.appendChild(document.createElement("legend"))
var test1=document.body.appendChild(document.createElement("details"))
var test7=document.body.appendChild(document.createElement("textarea"))
test1.style['d\isplay']='inline';
test0.style.setProperty('all','initial');
test0.appendChild(document.createTextNode([15366]))
document.execCommand("selectall");
document.designMode = "on"
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce

commit 874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce
Author: yosin <yosin@chromium.org>
Date: Fri Jun 10 10:38:44 2016

Make flat tree version RenderedPosition constructor to work on flat tree

This patch makes flat tree version of |RenderedPosition| constructor to work
on flat tree rather than DOM tree to calculate inline box position for
flat tree position correctly.

Before this patch, flat tree version of |RenderedPosition| constructor uses
|toPositionInDOMTree()|, but id doesn't work well for children of shadow
root and insertion point, e.g. CONENT elements and SLOT elements.

In attached layout test, |RenderedPosition| constructor attempts to compute
for CONTENT element in DETAIL element.

BUG= 616070 ,  618421 
TEST=LayoutTests/editing/selection/select_all/select_all_details_crash.html

Review-Url: https://codereview.chromium.org/2059663002
Cr-Commit-Position: refs/heads/master@{#399150}

[add] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/LayoutTests/editing/selection/select_all/select_all_details_crash.html
[modify] https://crrev.com/874ac2203bcbf8d00ccb7c447ad2d307cb3dd7ce/third_party/WebKit/Source/core/editing/RenderedPosition.cpp

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot