Predator and CL did not find any possible suspects.
Using Code Search for the file, "EditingUtilities.cpp" assigning to the concern owner,
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/3f666d4d97f2420c800e87939b5762676efcb5b5

@yoichio -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Repro on 58.0.2991.0 windows.

Lower to Pri-2 since real world usage of FormatBlock command is low.

DOM tree at DCHECK:
BODY class="CLASS9 CLASS7" (editable)
	#text "\n"
	INS (editable)
		#text "\n"
		svg (editable)
			#text "\n"
	#text ""
	HEAD (editable)
		SCRIPT (editable)
			#text "\nfunction event_handler_2D0_DOMContentLoaded() {\n  var oSelection=window.getSelection();\n  document.execCommand(\"SelectAll\")\n  var oRange = oSelection.rangeCount ? oSelection.getRangeAt(82 % oSelection.rangeCount) : null;\n    var oParentElement = (function(){\n  })();\n    var oInsertedElement = (function(){\n    var aoElements = document.getElementsByTagName(\"*\");\n    if (aoElements.length) return aoElements[1 % aoElements.length];\n  })();\noRange.insertNode(oInsertedElement)\n  var oElement2 = ({\n  })();\n}\ndocument.addEventListener(\"DOMContentLoaded\", event_handler_2D0_DOMContentLoaded);\nfunction event_handler_2D1_selectstart() {\n  var oElement = event.srcElement;\noElement.insertAdjacentText('afterend', 'i4****[S[[[[[[2:3}}}}}}}}}}}}\"J\\'')\n}\ndocument.addEventListener(\"selectstart\", event_handler_2D1_selectstart);\nfunction event_handler_2D2_DOMSubtreeModified() {\n  var oElement = event.srcElement;\noElement.contentEditable = oElement.contentEditable == \"true\" ? \"false\"
 : \"true\";\n  document.execCommand('FormatBlock',false,'<dl>');\n    var oParent = (function(){\n  })();\n}\ndocument.addEventListener(\"DOMSubtreeModified\", event_handler_2D2_DOMSubtreeModified);\n  "
		#text "\n"
		STYLE (editable)
			#text "\n.CLASS7{-webkit-hyphens:initial;display:inline;"
		#text "\n"
	DL (editable)
SE	#text "\n"
start: offsetInAnchor[0]
end: offsetInAnchor[1]

Bulk set to Pri-3 for cluster fuzz bugs.
Since these issues are happens with unusual HTML.

Detailed report: https://clusterfuzz.com/testcase?key=5257832101576704

Job Type: linux_debug_content_shell_drt
Crash Type: CHECK failure
Crash Address: 
Crash State:
  a.IsNotNull() in EditingUtilities.cpp
  blink::ComparePositions
  blink::CompositeEditCommand::MoveParagraphWithClones
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5257832101576704


See https://github.com/google/clusterfuzz-tools for more information.

ClusterFuzz testcase 5257832101576704 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.