Findit cannot find any culprit results.

using codesearch seeing some changes to 'DocumentLoader.cpp' in
https://chromium.googlesource.com/chromium/src/+/ecbfcdcef3fa7692d28b32aeb0c89e9a5e5c4ebc

toyoshim@ could you please check the issue and help.

Sorry, I didn't notice this assignment.
I'd reroute this issue to yosin@ from editing team since the stack trace contains blink::SpellChecker::didEndEditingOnTextField.

I manually reduced the minimized repro case (attached as min.html).

Basically, what it does is recursively change all attributes value for
each element under a certain root, and incidentally this test picked up
<input>'s user-agent shadow as the root.

The user-agent shadow looks like "<div id="inner-editor"></div>".  After the
script runs, the id is modified.

The crash happens on the shutdown path:

#3 0x7f2ce5fcecb9 blink::Document::updateStyleAndLayoutTreeForNode()
#4 0x7f2ce63362ed blink::SpellChecker::removeSpellingAndGrammarMarkers()
#5 0x7f2ce6336298 blink::SpellChecker::didEndEditingOnTextField()
#6 0x7f2ce652d422 blink::HTMLInputElement::endEditing()
#7 0x7f2ce5fd2697 blink::Document::dispatchUnloadEvents()
#8 0x7f2ce6bfd05c blink::FrameLoader::dispatchUnloadEvent()

<input> element tries to clean up things, and in spellchecker cleanup,

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/editing/spellcheck/SpellChecker.cpp?l=772

HTMLElement* innerEditor = textControlElement->innerEditorElement();
removeSpellingAndGrammarMarkers(*innerEditor);

The code tries to pick up the inner editor element, but as its id was replaced,
|innerEditor| gets nullptr.

The code path never happens with real web sites (as opposed to the minimized
script, which uses 'window.internals.shadowRoot()' to inspect user-agent shadow),
this is not a bug to fix.

Deleted: min.html 543 bytes

min.html 543 bytes View Download

ClusterFuzz has detected this issue as fixed in range 465765:465806.

Detailed report: https://clusterfuzz.com/testcase?key=5123562492133376

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_content_shell
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::Node::canParticipateInFlatTree
  blink::Document::updateStyleAndLayoutTreeForNode
  blink::SpellChecker::didEndEditingOnTextField
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=448154:448156
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_content_shell&range=465765:465806

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv969tseBSjzLzYW2zW2zBRChQD1AiZBHgeodPSoNwxlh1pwfL6nLfIHibVg2ExBCAH-s3fz7nNwccc79EhF4N0dMkUcj3TVTtnQO4XePjoJuKaYgI4dExIakRhMlf5xElsOgU0znzGKqoD9lLSOOdWYbH9pRZQ5qdsOqO1EGO488INKujTYrC85PkS8w9whVNeEP98JxUfn_RunKJz3QM1L-2Afpa8Nqu0C5_jCogn0v1YNahrJtb-jAeo83sNUk4HUMBxkI4RPp4XvI3o7dZJTdlMwmj03QoL62HWEEo-NUM-G57yHeF5VEh02siMqKXESJXE87RAZGb1wpEe3IqXU5DVw3bmYSew-yFnGW7mWF2eoc8oUgd_sLwQ93VhRWMq6ExiiwU6JWpDai7NQly9EmRNGASg?testcase_id=5123562492133376


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.