this might be suspected cl :
Changelist: https://chromium.googlesource.com/chromium/src/+/922c87eb33d709ba9fb9332ecde0a1bcf72d86bf

xiaochengh@ could you please look into this. please feel free to re -assigned if needed. Thank you 

Not sure if it's the same bug as  issue 639801 , but the culprit is also |expandToParagraphBoundary()| in TextCheckingHelper.cpp, which tries to return an EphemeralRange with start position beyond end position.

Input EphemeralRange:

BODY	0x1c65f21e6a68
	FORM	0x1c65f21ea1a8
		PRE	0x1c65f21ea338
			DEL	0x1c65f21ea3d8 CLASS="CLASS2 CLASS14"
				#text	0x1c65f21eb518 ""
				DEL	0x1c65f21ebb38 CLASS="CLASS2 CLASS14"
				#text	0x1c65f21ebee8 ""
				FORM	0x1c65f21eb978
					PRE	0x1c65f21eba98
						rect	0x1c65f21ebc48
				#text	0x1c65f21ebdf0 ""
				BUTTON	0x1c65f21ea708
					#text	0x1c65f21ea800 ""
					A	0x1c65f21eabd0 (editable)
						rect	0x1c65f21ec9e8 (editable)
					#text	0x1c65f21ec7d0 ""
S					LABEL	0x1c65f21ea8e0 (editable) (focused)
						#text	0x1c65f21ea988 ""
						RB	0x1c65f21ea5f8
							BODY	0x1c65f21eb8d8
							#text	0x1c65f21ea698 "\n"
E							#text	0x1c65f21ea870 "\n"
							rect	0x1c65f21ec5a0
						#text	0x1c65f21ec388 "\n"
						BUTTON	0x1c65f21ea9f8 (editable)
							#text	0x1c65f21eaaf0 "\n"
						#text	0x1c65f21eab60 "\n"
						#text	0x1c65f21eb4a8 "\n"
						rect	0x1c65f21ec1e0 (editable)
					#text	0x1c65f21ebfc8 "\n"
				#text	0x1c65f21ebf58 "\n"
start offset: 0, end offset: 0

The function tries to return the following Ephemeral range, triggering DCHECK in EphemeralRange's constructor

BODY	0x1c65f21e6a68
	FORM	0x1c65f21ea1a8
		PRE	0x1c65f21ea338
			DEL	0x1c65f21ea3d8 CLASS="CLASS2 CLASS14"
				#text	0x1c65f21eb518 ""
				DEL	0x1c65f21ebb38 CLASS="CLASS2 CLASS14"
				#text	0x1c65f21ebee8 ""
				FORM	0x1c65f21eb978
					PRE	0x1c65f21eba98
						rect	0x1c65f21ebc48
				#text	0x1c65f21ebdf0 ""
				BUTTON	0x1c65f21ea708
					#text	0x1c65f21ea800 ""
					A	0x1c65f21eabd0 (editable)
						rect	0x1c65f21ec9e8 (editable)
					#text	0x1c65f21ec7d0 ""
					LABEL	0x1c65f21ea8e0 (editable) (focused)
						#text	0x1c65f21ea988 ""
						RB	0x1c65f21ea5f8
							BODY	0x1c65f21eb8d8
							#text	0x1c65f21ea698 "\n"
E							#text	0x1c65f21ea870 "\n"
							rect	0x1c65f21ec5a0
						#text	0x1c65f21ec388 "\n"
						BUTTON	0x1c65f21ea9f8 (editable)
							#text	0x1c65f21eaaf0 "\n"
						#text	0x1c65f21eab60 "\n"
S						#text	0x1c65f21eb4a8 "\n"
						rect	0x1c65f21ec1e0 (editable)
					#text	0x1c65f21ebfc8 "\n"
				#text	0x1c65f21ebf58 "\n"
start offset: 0, end offset: 0

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8d1974aecc77d407a9ee89d2434f0079b4cc1e40

commit 8d1974aecc77d407a9ee89d2434f0079b4cc1e40
Author: xiaochengh <xiaochengh@chromium.org>
Date: Wed Aug 24 02:15:54 2016

Force expandToParagraphBoundary to return a valid EphemeralRange

This is a first-aid patch that make expandToParagraphBoundary()
compare the paragraph boundaries found with the input range before
returning, so that the returned range is always a super-range of
the input range, and hence, a valid EphemeralRange.

This patch does not fix the root cause of the bugs, as we:
- do not expect startOfParagraph()'s return value to be beyond that of
endOfParagraph()'s, and
- are planning of getting rid of TextCheckingParagraph, the only client
of expandToParagraphBoundary(), ultimately

BUG= 639521 ,  639801 ,  640022 ,  640030 ,  640112 
TEST=n/a; this is a first-aid patch

Review-Url: https://codereview.chromium.org/2271603002
Cr-Commit-Position: refs/heads/master@{#413942}

[modify] https://crrev.com/8d1974aecc77d407a9ee89d2434f0079b4cc1e40/third_party/WebKit/Source/core/editing/spellcheck/TextCheckingParagraph.cpp

ClusterFuzz has detected this issue as fixed in range 413791:414128.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5494609319034880

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000011
Crash State:
  blink::SpellCheckRequest::isValid
  blink::SpellChecker::markAndReplaceFor
  blink::SpellCheckRequester::didCheck
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=411957:412185
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=413791:414128

Minimized Testcase (4.96 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97paZHr2lvrMdWztwea0EJNvC26FLPchIXSQStqTC-puz16CXWsHizAY1poZUH0okRmlDzJcUkGBKleuQxb_FkFw1VfJHHXq4FGfrlZfIJ2X3UyapVxygd0Zq4_RVuu9ofVsrLZgL-pkX2Iy4V9XPbYlIEM4g?testcase_id=5494609319034880

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot