Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: tkent
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/552ceb6deed19e86f89eb32b8fb3923217cefd7e
Time: Mon Feb 20 08:49:02 2017
File DOMSelection.cpp is changed in this cl (and is part of stack frame #3, "blink::DOMSelection::addRange")
Minimum distance from crash line to modified line: 2. (file: DOMSelection.cpp, crashed on: 632, modified: 634). 

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/2090c9f72c7eebd76726965cfc7d15cb8d1cc12d
Time: Mon Feb 20 11:30:14 2017
File DOMSelection.cpp is changed in this cl (and is part of stack frame #3, "blink::DOMSelection::addRange")
Minimum distance from crash line to modified line: 34. (file: DOMSelection.cpp, crashed on: 632, modified: 666).

@tkent -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Hand-minimized test case:

<script>
document.head.textContent = "|||||||OOOOOOOObbbb|Jq'IEEEEEEEf";
getSelection().collapse(document.documentElement);
var oRange = getSelection().getRangeAt(0).cloneRange();
getSelection().addRange(oRange);
</script>

Issue 694839 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ca0cbc0427aa4c5a60e00ce75a004e44347056eb

commit ca0cbc0427aa4c5a60e00ce75a004e44347056eb
Author: tkent <tkent@chromium.org>
Date: Wed Feb 22 09:28:03 2017

Selection API: Fix a null pointer dereference in addRange().

FrameSelection::firstRange() can be null if the cached Range points invisible
elements.

BUG= 694414 

Review-Url: https://codereview.chromium.org/2707993004
Cr-Commit-Position: refs/heads/master@{#451954}

[add] https://crrev.com/ca0cbc0427aa4c5a60e00ce75a004e44347056eb/third_party/WebKit/LayoutTests/editing/selection/addrange-crash.html
[modify] https://crrev.com/ca0cbc0427aa4c5a60e00ce75a004e44347056eb/third_party/WebKit/Source/core/editing/DOMSelection.cpp

ClusterFuzz has detected this issue as fixed in range 451929:451968.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5252605388521472

Fuzzer: bj_broddelwerk
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000018
Crash State:
  get
  container
  startContainer
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=451573:451600
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_lsan_chrome_mp&range=451929:451968

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95yX45Rh0Ay3FtRGT8Mima2wGOYRK4qskoOO3bJpWWGPlcNy3eHz4Mmu45sFCyeDQxDA53WMHQbp7EGUqlZ9Oqln-IA281CAa3EM82LAE4RoDBzhk8K8b-CMIqhBebd8v6dswFvekPL1_bQ-96UEai2bG6iq1AgKkUoYli6b9tXMn3u1ZFTkTLqcDlXB09DIZRQtW_BvxapyD1-ntQiszWvT-L0mD-RFfNq3T6o7yBt1ChxYTv82LSp-ml48jCaNr6v6c8DIlT0Qd-2MFMjA-q3VNuGWarBeCxzU-P2ll45_Ub7pRqlJMfDunMwJ-vUZxgocHFOdA9NZ6DrVCPXIgN1xz0y2wkKENRSS-t4b7Kk4K3y5or4JVSLqusqXWmcmq1_jCVs3ZtfCnxpBLBqrpysaSzUlg?testcase_id=5252605388521472


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.