Wildly guessing that this may be: e15391d9a56a210cf5faee97c24bfad856225ea9
tkent, could you take look?

The CL changed the timing of DOM mutation events, so it might exposed an existing bug in a particular test case.

Route to Editing triage.

Lower to Pri-2 since real world usage of "insertHorizontalRule" is low.

The root cause is CompositeEditCommand::moveParagraphs() calls markMisspellingsForMovingParagraphs() with endingSelection() which should be validate again.

Unable to find the possible suspect using Find it and CL.
Using Code Search for the file, "EditingUtilities.cpp" assigning to the concern owner.
Suspecting the commit#
https://chromium.googlesource.com/chromium/src/+/9ceffba8b9056e7a125f5a9fd8eb803816315df7

@xiaochengh -- Could you please look into the issue, kindly re-assign if this is not related to your change.
Thank You.

It's more complicated than passing an invalid VisibleSelection to SpellChecker. Even if spell checking is off, this invalid VS is still going to cause other failures:

[1:1:1205/174541.337332:3035614527656:FATAL:VisiblePosition.cpp(73)] Check failed: positionWithAffinity.isConnected(). BR@beforeAnchor/TextAffinity::Downstream
#0 0x7fcc6b9bcfbe base::debug::StackTrace::StackTrace()
#1 0x7fcc6ba29d3f logging::LogMessage::~LogMessage()
#2 0x7fcc62157dda blink::VisiblePositionTemplate<>::create()
#3 0x7fcc6215796b blink::createVisiblePosition()
#4 0x7fcc6215ceca blink::VisibleSelectionTemplate<>::visibleStart()
#5 0x7fcc621a418d blink::CompositeEditCommand::moveParagraphs()
#6 0x7fcc621a5d4d blink::CompositeEditCommand::moveParagraph()
#7 0x7fcc621b3ac7 blink::DeleteSelectionCommand::mergeParagraphs()
#8 0x7fcc621b4bf2 blink::DeleteSelectionCommand::doApply()
#9 0x7fcc6219da4f blink::CompositeEditCommand::applyCommandToComposite()
#10 0x7fcc621a0599 blink::CompositeEditCommand::deleteSelection()
#11 0x7fcc621d9170 blink::ReplaceSelectionCommand::doApply()
#12 0x7fcc6219d792 blink::CompositeEditCommand::apply()
#13 0x7fcc621bf480 blink::executeInsertFragment()
#14 0x7fcc621bf639 blink::executeInsertElement()
#15 0x7fcc621bb261 blink::executeInsertHorizontalRule()
#16 0x7fcc621b817c blink::Editor::Command::execute()
#17 0x7fcc61f04b3d blink::Document::execCommand()

ClusterFuzz has detected this issue as fixed in range 448221:448225.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4932904636645376

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000020
Crash State:
  blink::hasEditableStyle
  blink::rootEditableElement
  blink::DeleteSelectionCommand::removeRedundantBlocks
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=417193:417214
Fixed: https://cluster-fuzz.appspot.com/revisions?job=mac_asan_chrome&range=448221:448225

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95n4PtOu7tyHJJqgpOAr0gYoobZ-e-3Se2_15rRnKPLXSW2tXQ3YXBVq4hjHtpKcDtbSwOS15d0OtILqPIh5EkVHafaMsCOwTDdplMwF2zRE-oYSdVuaCiYrFwCviWj-oekL64SGYuXVa-vAkIc_PYS99JZbw?testcase_id=4932904636645376


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4932904636645376 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.