Providing Findit Results for internal purpose:
Suspected CLs	Git blame below is NOT necessarily who introduced the crash nor the owner for it. Please check the code before assigning to anyone.(No CL in the regression range changed the crashing files.)

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 77 of file Member.h, which is stack frame 0.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 206 of file Node.h, which is stack frame 1.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 379 of file NodeTraversal.h, which is stack frame 2.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 1323 of file CompositeEditCommand.cpp, which is stack frame 3.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 1431 of file CompositeEditCommand.cpp, which is stack frame 4.

Author: xiaochengh
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/f68abcbb358214261742479653a6ef534b7837b0
Time: Thu Oct 06 02:13:55 2016
The CL last changed line 120 of file FormatBlockCommand.cpp, which is stack frame 5.

Author: Blink Reformat
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/1c8e1a7719e9d223cc84e838c9a31a0210f5878b
Time: Sat Oct 01 00:25:32 2016
The CL last changed line 171 of file ApplyBlockElementCommand.cpp, which is stack frame 6.

Suspected Project: chromium-blink
Suspected Component: Blink>DOM

using codesearch, seeing some changes to CompositeEditCommand.cpp in 

https://chromium.googlesource.com/chromium/src/+/5f0ab5ec41d132eb4ff36460e4f05c110dda17f6

Lowering to P2 since the usage of document.execCommand('FormatBlock') is low.

BODY class="CLASS9 CLASS7" (editable)
	#text "\n"
	INS (editable)
		#text "\n"
		svg (editable)
			#text "\n"
	#text ""
	HEAD (editable)
		SCRIPT (editable)
			#text "\nfunction event_handler_2D0_DOMContentLoaded() {\n  var oSelection=window.getSelection();\n  document.execCommand(\"SelectAll\")\n  var oRange = oSelection.rangeCount ? oSelection.getRangeAt(82 % oSelection.rangeCount) : null;\n    var oInsertedElement = (function(){\n    var aoElements = document.getElementsByTagName(\"*\");\n    if (aoElements.length) return aoElements[1 % aoElements.length];\n  })();\noRange.insertNode(oInsertedElement)\n  var oElement2 = (function(){\n  })();\n}\ndocument.addEventListener(\"DOMContentLoaded\", event_handler_2D0_DOMContentLoaded);\nfunction event_handler_2D1_selectstart() {\n  var oElement = event.srcElement;\noElement.insertAdjacentText('afterend', 'i4****[S[[[[[[2:3}}}}}}}}}}}}\"J\\'')\n}\ndocument.addEventListener(\"selectstart\", event_handler_2D1_selectstart);\nfunction event_handler_2D2_DOMSubtreeModified() {\n  var oElement = event.srcElement;\noElement.contentEditable = oElement.contentEditable == \"true\" ? \"false\" : \"true\";\n  document.execCommand('FormatBlock',false,'<dl>');\n    var oParent = (function(){\n\n\n  })();\n}\ndocument.addEventListener(\"DOMSubtreeModified\", event_handler_2D2_DOMSubtreeModified);\n"
		#text "\n"
		STYLE (editable)
			#text "\n.CLASS7{-webkit-hyphens:initial;display:inline;"
		#text "\n"
	DL (editable)
	#text "\n"

FormatBlockCommand::formatRange gets |start| = [#text "\n" (at the end of document), 0]
|createVisiblePosition(start)| returns null, which is passed to CompositeEditCommand::moveParagraphWithClones, causing the DCHECK hit in comparePositions.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 455091:455394.

Detailed report: https://clusterfuzz.com/testcase?key=4961187286745088

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000030
Crash State:
  nextSibling
  nextSkippingChildren
  blink::CompositeEditCommand::cloneParagraphUnderNewElement
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=297214:297254
Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=455091:455394

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96bRG6Rx-huleIijdau0FxgHVZZCq9HeAaYOu9TkNx0kEpXpNRLuUiMohOSjpSC8BDDrgGV-0UG1-rNzC6rq2OmW5mp9lYTrf_D7BXN_mH_8aHB8LdUaGNlhZOj_V_6X2-CuWPBNdeQMVuU3fdqAQRPWuMinA?testcase_id=4961187286745088


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4961187286745088 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.