providing findit results for internal purpose:
Suspected CLs	Findit could not determine the memory tool from the stacktrace. Is it in a new format?

unable to find the culprit, assigning to https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/OWNERS

bokan@, Could you please check the above issue & help us in finding an owner it its not yours.

DOM tree at assertion:
m_caretPosition.m_position.showTreeForThis() = HTML, 1
*HTML	00000493FBAA3090
	STYLE	00000493FBAA3278
	HEAD	00000493FBAA30F8
		#text	00000493FBAA3228 "\n"

FrameCaret::m_caretPosition can have different position at FrameSelection::updateIfNeeded()

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ec7e0ef4bfdb8f0cd0c9a45ed9d45755d9a3c684

commit ec7e0ef4bfdb8f0cd0c9a45ed9d45755d9a3c684
Author: yosin <yosin@chromium.org>
Date: Thu Jul 21 07:07:44 2016

Make FrameCaret to retrieve caret position from SelectionEditor

This patch makes |FrameCaret| to use caret position from |SelectionEditor|
instead of holding caret position in |FrameCaret| to get rid of code of
maintaining caret position between |FrameCaret| and |SelectionEditor|
synchronize for improving code health.

The root cause of  crbug.com/628520  is missing synchronization code in
|FrameSelection::updateIfNeeded()|. This patch is simpler than adding
synchronization code in |FrameSelection::updateIfNeeded()|.

BUG= 628520 
TEST=run_webkit_unit_tests --gtest_filter=FrameSelectionTest.updateIfNeededAndFrameCaret

Review-Url: https://codereview.chromium.org/2161373002
Cr-Commit-Position: refs/heads/master@{#406792}

[modify] https://crrev.com/ec7e0ef4bfdb8f0cd0c9a45ed9d45755d9a3c684/third_party/WebKit/Source/core/editing/FrameCaret.cpp
[modify] https://crrev.com/ec7e0ef4bfdb8f0cd0c9a45ed9d45755d9a3c684/third_party/WebKit/Source/core/editing/FrameCaret.h
[modify] https://crrev.com/ec7e0ef4bfdb8f0cd0c9a45ed9d45755d9a3c684/third_party/WebKit/Source/core/editing/FrameSelection.cpp
[modify] https://crrev.com/ec7e0ef4bfdb8f0cd0c9a45ed9d45755d9a3c684/third_party/WebKit/Source/core/editing/FrameSelectionTest.cpp

ClusterFuzz has detected this issue as fixed in range 406657:406809.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6138124816351232

Fuzzer: bj_broddelwerk
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  caretPositionIsValidForDocument(*m_frame->document()) in FrameCaret.cpp
  blink::FrameCaret::invalidateCaretRect
  blink::FrameSelection::invalidateCaretRect
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=396634:396810
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_chrome&range=406657:406809

Minimized Testcase (1.65 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96JamvPGPGp6bVLzqAJYCWqRby2HG44sDtYgR4k4JC35n9hKS8ADARsucFNGnAKANUPUfQCm18QX7vfMg7z3uyVr8Kl_V32Xlcdn1KxbJX1CA0LNow9nkJXSDaE7rPnFSAOl5mGij10rWuhQJrDACesh8AplA?testcase_id=6138124816351232

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot