based on Findit results, assigning to joone.hur@ - Could you please take a look at the issue and assign it to concerned developer if your changes are not responsible?

Suspected CLs	The result is a list of CLs that change the crashed files.

Author: joone.hur
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/7cd91bcaaf5ef14b3e76465b464902cd864eaea0
Time: Fri Jul 01 08:59:24 2016
Lines 831-841 of file ReplaceSelectionCommand.cpp which potentially caused crash are changed in this cl (frame #1, "blink::handleStyleSpansBeforeInsertion").
Minimum distance from crash line to modified line: 0. (file: ReplaceSelectionCommand.cpp, crashed on: 831, modified: 831).

Suspected Project: chromium
Suspected Component: Blink>Editing

I'm taking a look at this problem.

Here is a fix: https://codereview.chromium.org/2135993003/

yosin@ is virtual owner. jonne.hur@ is working now.

 Issue 626616  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e7f2bcf1c9f2c9f7d998328cc47face9b75cca1e

commit e7f2bcf1c9f2c9f7d998328cc47face9b75cca1e
Author: joone.hur <joone.hur@intel.com>
Date: Fri Jul 15 09:43:59 2016

Add null check to fix crash in blink::ComputedStyle::display

These is a case that node->computedStyle() returns null
so it needs to check whether computedStyle() returns
null or not.

BUG= 626991 
TEST=editing/execCommand/crash-inserting-span.html

Review-Url: https://codereview.chromium.org/2135993003
Cr-Commit-Position: refs/heads/master@{#405733}

[add] https://crrev.com/e7f2bcf1c9f2c9f7d998328cc47face9b75cca1e/third_party/WebKit/LayoutTests/editing/execCommand/crash-inserting-span.html
[modify] https://crrev.com/e7f2bcf1c9f2c9f7d998328cc47face9b75cca1e/third_party/WebKit/Source/core/editing/EditingUtilities.cpp
[modify] https://crrev.com/e7f2bcf1c9f2c9f7d998328cc47face9b75cca1e/third_party/WebKit/Source/core/editing/commands/ReplaceSelectionCommand.cpp

ClusterFuzz has detected this issue as fixed in range 405727:405740.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5845525975007232

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000068
Crash State:
  blink::ComputedStyle::display
  blink::handleStyleSpansBeforeInsertion
  blink::ReplaceSelectionCommand::doApply
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=403423:403429
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=405727:405740

Minimized Testcase (0.46 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94CE_morXRBs6UuZBSfQebseukybpNnJdk_ao8rMwos-N-jUxSWW01TXK80fNbkH7K_2023YBR11YomXZ_7cCGfFWRFzBuQm1q5poEesAU0kpakLddFw-65sAYXUu0GeN5QdEG5YSbN4cEAoojNeAPOdyTdnA?testcase_id=5845525975007232
<script src="../../../resources/js-test-pre.js"></script>
        <script>
            function runTest() {
                description();
            }
        </script>
    <body onload="runTest()">
        <script>
function fuzz() {
document.designMode = 'on';
  document.execCommand("selectAll");
  document.execCommand("CreateLink",0,"foo");
  document.execCommand("inserthtml",false,"<span id='green' style='color:green'>green</span>");
}
 setTimeout(fuzz); </script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 626614  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot