It hits a DCHECK during cut command:

[1:1:1128/115742:2409936177498:FATAL:SelectionTemplate.cpp(156)] Check failed: position.isConnected(). TABLE@afterAnchor
#0 0x7fb2f34ea83e base::debug::StackTrace::StackTrace()
#1 0x7fb2f3558acf logging::LogMessage::~LogMessage()
#2 0x7fb2e9c18f91 blink::SelectionTemplate<>::Builder::collapse()
#3 0x7fb2e9c7b1de blink::DeleteSelectionCommand::doApply()
#4 0x7fb2e9c63972 blink::CompositeEditCommand::apply()
#5 0x7fb2e9bd912e blink::Editor::deleteSelectionWithSmartDelete()
#6 0x7fb2e9bdbee9 blink::Editor::cut()

The root cause should be DeleteSelectionCommand trying to set ending selection to a disconnected position.

We should use RelocatablePosition to track DeleteSelectionCommand::m_endingPosition

A deeper cause is that DeleteSelectionCommand::mergeParagraphs stores |VisiblePosition startOfParagraphToMove| through DOM mutations, which ends up disconnected. It then sets |m_endingPosition| with the invalid VP, causing the DCHECK.

We should use RelocatablePosition to |startOfParagraphToMove|. Patch: https://codereview.chromium.org/2534783002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e0c438edea7a5d6b057edff9a65d3d735c98b10e

commit e0c438edea7a5d6b057edff9a65d3d735c98b10e
Author: xiaochengh <xiaochengh@chromium.org>
Date: Tue Nov 29 13:50:34 2016

Apply RelocatablePosition in DeleteSelectionCommand::mergeParagraphs

The above mentioned function used a VisiblePosition to track
|startOfParagraphToMove|, which is wrong as VPs can't persist through
DOM mutations. This patch uses RelocatablePosition instead.

BUG= 668765 
TEST=webkit_unit_tests --gtest_filter=DeleteSelectionCommandTest.deleteListFromTable

Review-Url: https://codereview.chromium.org/2534783002
Cr-Commit-Position: refs/heads/master@{#434976}

[modify] https://crrev.com/e0c438edea7a5d6b057edff9a65d3d735c98b10e/third_party/WebKit/Source/core/editing/BUILD.gn
[modify] https://crrev.com/e0c438edea7a5d6b057edff9a65d3d735c98b10e/third_party/WebKit/Source/core/editing/commands/DeleteSelectionCommand.cpp
[modify] https://crrev.com/e0c438edea7a5d6b057edff9a65d3d735c98b10e/third_party/WebKit/Source/core/editing/commands/DeleteSelectionCommand.h
[add] https://crrev.com/e0c438edea7a5d6b057edff9a65d3d735c98b10e/third_party/WebKit/Source/core/editing/commands/DeleteSelectionCommandTest.cpp

ClusterFuzz has detected this issue as fixed in range 434929:434986.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4566826991484928

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000020
Crash State:
  blink::hasEditableStyle
  blink::rootEditableElement
  blink::DeleteSelectionCommand::removeRedundantBlocks
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=404947:405052
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_content_shell_drt&range=434929:434986

Minimized Testcase (0.39 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96nUPwU9dm6iXSd_2IczBRgrICK9Z2CxMkgNISGFPRmsDTswu7CfWGSSqD7OQjw2iXH8PjsDABk_0ISmF5YTgkHNskctQadscrgsgHsDo1mLSjSqJPn_rBk99MKCsRnTWkRmKgyQ3ORwpIO2yv8UVf_d3xnaA?testcase_id=4566826991484928
<body onload="__f_611();"<div contenteditable="true" id="div">
   <table>
    <td>
       <br/>
       <span id="span">
        bar
  <script>
sel = window.getSelection();
sel.setBaseAndExtent(div, 0, span, span.childNodes.length);
document.execCommand("InsertOrderedList");
__v_246 = window.getSelection();
    __v_246.modify("extend", "forward", "line");
    document.execCommand("Cut");



</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.