From findit tool:

Author: pilgrim
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/89a4287c0abb8a7816c079de9435b8ff22b133fa
Time: Wed Apr 20 23:26:58 2016
The CL last changed line 478 of file FrameSelection.cpp, which is stack frame 3.

Moving this nonessential bug to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

unrelated to my refactoring

This issue is Pri-1 but has already been moved once. Lowering the priority and moving to the next milestone.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

looking...

Hit DCHECK at
FrameSelection.cpp(289): Check failed: newSelection.isValidFor(document())
Since newSelection.m_base is an orphan.

blink_core.dll!blink::FrameSelection::setSelectionAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options, blink::CursorAlignOnScroll align, blink::TextGranularity granularity) Line 290
blink_core.dll!blink::FrameSelection::setSelection(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options, blink::CursorAlignOnScroll align, blink::TextGranularity granularity) Line 389
blink_core.dll!blink::Editor::changeSelectionAfterCommand(const blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & newSelection, unsigned int options) Line 1176
blink_core.dll!blink::Editor::reappliedEditing(blink::EditCommandComposition * cmd) Line 816
blink_core.dll!blink::EditCommandComposition::reapply() Line 140
blink_core.dll!blink::UndoStack::redo() Line 117
blink_core.dll!blink::Editor::redo() Line 1085
blink_core.dll!blink::executeRedo(blink::LocalFrame & frame, blink::Event * __formal, blink::EditorCommandSource __formal, const WTF::String & __formal) Line 1098
blink_core.dll!blink::Editor::Command::execute(const WTF::String & parameter, blink::Event * triggeringEvent) Line 1812
blink_core.dll!blink::Document::execCommand(const WTF::String & commandName, bool __formal, const WTF::String & value, blink::ExceptionState & exceptionState) Line 4486
blink_core.dll!blink::DocumentV8Internal::execCommandMethod(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4162
blink_core.dll!blink::DocumentV8Internal::execCommandMethodCallback(const v8::FunctionCallbackInfo<v8::Value> & info) Line 4174

IN review: crrev.com/2120223002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/39b2a95285753ccf12ee6d0bff85509d1161e029

commit 39b2a95285753ccf12ee6d0bff85509d1161e029
Author: yosin <yosin@chromium.org>
Date: Mon Jul 04 10:00:22 2016

Make redo command not to set invalid selection

This patch makes "redo" command not to set invalid selection to |FrameSeleciton|
via |Editor::changeSelectionAfterCommand()| to avoid |DCHECK()| in
|FrameSelection::setSelection()|.

BUG= 623241 
TEST=LayoutTests/editing/undo/redo-selection-modify-crash.html

Review-Url: https://codereview.chromium.org/2120223002
Cr-Commit-Position: refs/heads/master@{#403657}

[add] https://crrev.com/39b2a95285753ccf12ee6d0bff85509d1161e029/third_party/WebKit/LayoutTests/editing/undo/redo-selection-modify-crash.html
[modify] https://crrev.com/39b2a95285753ccf12ee6d0bff85509d1161e029/third_party/WebKit/Source/core/editing/Editor.cpp

ClusterFuzz has detected this issue as fixed in range 403457:403667.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5055934560993280

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000a8
Crash State:
  blink::LayoutView::setSelection
  blink::LayoutView::clearSelection
  blink::FrameSelection::respondToNodeModification
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=380105:380830
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_v8_arm&range=403457:403667

Minimized Testcase (5.70 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95K7qvi5z-Z6VeNwxtnwc9iQYY8ZQY3G8NQexiqXmgjoYRT-3RIQBGwVDzNXYLbL5BqtKBszHE4Fh21SDkmbPvTmpgUgR90QK1PcD2gnRqr9Tf2_W5S6QReyfP5xsewmwgCN9sDlw3qmFyvqjdY_hV8tbJwrw?testcase_id=5055934560993280

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4910735654387712

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000107
Crash State:
  blink::EditCommandComposition::reapply
  blink::UndoStack::redo
  blink::executeRedo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=403457:403667

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97KQY2Dzh36rH3tEzX5BfWyzDGLea2DsN_ghIQguOyg_HW0WAVPhoJyyyxp5iAzEHfZWzATchwkbeuyihnIiec3KuSKtOv9HmBa8VSqN8cCgCWtSjr-otacEGuri8BKy1CKG5o6QRIgu_lbNT1ts1JiivvHXx23rVMUUR0Tkoi7nRHix00?testcase_id=4910735654387712


Additional requirements: Requires Gestures

Filer: ssamanoori

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4910735654387712

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x00000107
Crash State:
  blink::EditCommandComposition::reapply
  blink::UndoStack::redo
  blink::executeRedo
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=403457:403667

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv97KQY2Dzh36rH3tEzX5BfWyzDGLea2DsN_ghIQguOyg_HW0WAVPhoJyyyxp5iAzEHfZWzATchwkbeuyihnIiec3KuSKtOv9HmBa8VSqN8cCgCWtSjr-otacEGuri8BKy1CKG5o6QRIgu_lbNT1ts1JiivvHXx23rVMUUR0Tkoi7nRHix00?testcase_id=4910735654387712


Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot