Through code search on file FrameSelection.cpp, suspected CL is
https://chromium.googlesource.com/chromium/src/+/bc320afb51a662a92f69369d818701dd1898d1cc
xiaochengh@, could you please take a look and help us to find correct owner if it is not related your changes.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4b7ec96e0cdf6ef721b15a31ea88d4c868f38929

commit 4b7ec96e0cdf6ef721b15a31ea88d4c868f38929
Author: xiaochengh <xiaochengh@chromium.org>
Date: Thu Jan 26 08:15:09 2017

Make Editor::revealSelectionAfterEditingOperation check document availability

The above mentioned function is called to reveal selection after a user
initiated editing operation. However, it shouldn't proceed if the operation
destroys the frame, which is ensured by this patch.

BUG= 685347 
TEST=LayoutTests/editing/inserting/insert_linebreak_remove_frame.html

Review-Url: https://codereview.chromium.org/2653063004
Cr-Commit-Position: refs/heads/master@{#446275}

[add] https://crrev.com/4b7ec96e0cdf6ef721b15a31ea88d4c868f38929/third_party/WebKit/LayoutTests/editing/inserting/insert_linebreak_remove_frame.html
[modify] https://crrev.com/4b7ec96e0cdf6ef721b15a31ea88d4c868f38929/third_party/WebKit/Source/core/editing/Editor.cpp

ClusterFuzz has detected this issue as fixed in range 446231:446318.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4974520718065664

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000000005b0
Crash State:
  blink::Document::updateStyleAndLayoutTreeIgnorePendingStylesheets
  blink::Document::updateStyleAndLayoutIgnorePendingStylesheets
  blink::FrameSelection::revealSelection
  
Sanitizer: address (ASAN)

Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=446231:446318

Minimized Testcase (0.35 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97ficGcqy8_eRUJ519E1XWAhkEEhsX-QLRRVLarn-qox0UMHIagu7TzzmCkocTUmofi1u6uIhQ9C7a7zcf6PJdI5DzzxYrY6RHX_2-yP1ZiCVh7mNPHZtOTGXhscOjr6uWl30LV426WDcGt_Ntsb_qur0xvD2iHyIN2_Fmsqjtp1OMp8AGfs_XR_dGzaWkk7RBdXn0jNLJsOmm6G8KKEG7-O7NO87YwmiU17gU0iWyi69nLONS6bmslc48yJWcTYjCwohcheG_7sKpl1j0W0NXa9DackdDZztJ79K9TN00E4_kNDnjlAlF-QsLfsGujvU1XdepgoNKUM-FzH99o3e6R04hUOgq6QV7tv64EQb0cBlig8WU?testcase_id=4974520718065664
<iframe></iframe>
<script>
    var iframe = document.getElementsByTagName('iframe')[0];
    iframe.contentDocument.documentElement.contentEditable = true;
    iframe.contentDocument.documentElement.addEventListener('focusout', function () {
        iframe.parentNode.removeChild(iframe);
    });
    iframe.contentDocument.documentElement.focus();
</script>


Additional requirements: Requires Gestures

Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4974520718065664 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: We are only 3 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), gkihumba@(cros), bustamante@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is too late in the cycle for M56, which is already in Stable, but probably should be merged into M57.

Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Pls merge your change to M57 branch 2987 before 5:00 PM PT Monday (01/30) so we can pick it up for next week Last M57  Dev release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5b0c94296eb74cc8109e0aecf4342deba60dae19

commit 5b0c94296eb74cc8109e0aecf4342deba60dae19
Author: Xiaocheng Hu <xiaochengh@chromium.org>
Date: Mon Jan 30 06:15:02 2017

Make Editor::revealSelectionAfterEditingOperation check document availability

The above mentioned function is called to reveal selection after a user
initiated editing operation. However, it shouldn't proceed if the operation
destroys the frame, which is ensured by this patch.

BUG= 685347 
TEST=LayoutTests/editing/inserting/insert_linebreak_remove_frame.html

Review-Url: https://codereview.chromium.org/2653063004
Cr-Commit-Position: refs/heads/master@{#446275}
(cherry picked from commit 4b7ec96e0cdf6ef721b15a31ea88d4c868f38929)

Review-Url: https://codereview.chromium.org/2666513002 .
Cr-Commit-Position: refs/branch-heads/2987@{#165}
Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}

[add] https://crrev.com/5b0c94296eb74cc8109e0aecf4342deba60dae19/third_party/WebKit/LayoutTests/editing/inserting/insert_linebreak_remove_frame.html
[modify] https://crrev.com/5b0c94296eb74cc8109e0aecf4342deba60dae19/third_party/WebKit/Source/core/editing/Editor.cpp