Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/2211504ac2b999a125b2215ce7f6be9e50878fea
Time: Thu Mar 02 12:28:15 2017
Lines 63-64 of file PositionIterator.cpp which potentially caused crash are changed in this cl (frame #6, "blink::PositionIteratorAlgorithm >::PositionIteratorAlgorithm").
Minimum distance from crash line to modified line: 0. (file: PositionIterator.cpp, crashed on: 64, modified: 64).

@yosin -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

PostionInFlatTree::afterNode(SELECT) in following DOM tree, PositionInFlatTree::computeContainerNode() returns nullptr.
But, PositionTemplate<Strategy>::toOffsetInAnchor() doesn't handle it.

DIV (shadow host)
 #shadow-root
  SELECT

SELECT is subject to distributed but shadow host doesn't distribute it. Thus, FlatTreeTraversal::parent(SELECT) returns null.

Stack trace:

PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(blink::Node * anchorNode, int offset) Line 125PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::toOffsetInAnchor() Line 212
adjustPositionForBackwardIteration<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & position) Line 2901
mostBackwardCaretPosition<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & position, blink::EditingBoundaryCrossingRule rule) Line 2920
mostBackwardCaretPosition(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & position, blink::EditingBoundaryCrossingRule rule) Line 3074
canonicalPosition<blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > >(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & passedPosition) Line 109
canonicalPositionOf(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & position) Line 171
VisiblePositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::create(const blink::PositionWithAffinityTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & positionWithAffinity) Line 87
createVisiblePosition(const blink::PositionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & position, blink::TextAffinity affinity) Line 157
VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::setBaseAndExtentToDeepEquivalents() Line 201
VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::validate(blink::TextGranularity granularity) Line 415
VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection) Line 63
VisibleSelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> >::create(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection) Line 68
createVisibleSelection(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::FlatTreeTraversal> > & selection) Line 77
SelectionEditor::updateCachedVisibleSelectionIfNeeded() Line 380
SelectionEditor::computeVisibleSelectionInDOMTree() Line 78
FrameSelection::computeVisibleSelectionInDOMTree() Line 124
FrameSelection::computeVisibleSelectionInDOMTreeDeprecated() Line 159
FrameSelection::setFocusedNodeIfNeeded() Line 805
FrameSelection::didSetSelectionDeprecated(unsigned int options, blink::CursorAlignOnScroll align) Line 242
DOMSelection::updateFrameSelection(const blink::SelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > & selection, blink::Range * newCachedRange) Line 89
DOMSelection::collapseToEnd(blink::ExceptionState & exceptionState) Line 302

I guess to fix this bug to move forward patch[1].


[1] http://crrev.com/2729313002: Prune layout update calls from Editor::*appliedEditing

yosin@ is working on it with http://crrev.com/2772233002

Lower to Pri-2, since ToT doesn't hit crash.

ClusterFuzz has detected this issue as fixed in range 458746:463137.

Detailed report: https://clusterfuzz.com/testcase?key=5475072900071424

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::FlatTreeTraversal::traverseChild
  blink::FlatTreeTraversal::childAt
  blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversa
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=454233:454289
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=458746:463137

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94Bz4-KF6u3ylcTEcFuEMyBP1tdwnz4Z9UobS7CWb8iUeJvD3L_olcEjieFuNyYdYhLjy7fZvUX2kryjlgbX0cEWM3_VbzuaacLOl0R7wav5SocUQ-L6jy6-wq7eOum_9j-f6ItB0mRC-7y9DfhR7fJgheUf2xVpMmnDBQz3dKQ4iJeKqsrOG0kL4588euR4ohnSTxnlnHNjJl85j7BrsAyE6r9raskxF3jepEQM0jPLuYQcDXsUUmNMJAsJ-O19F7pfdy97smJzdmhceDFVynzFaqBuW-0ipmhJyNZNCjXOf9n3onUapYAAXqEvMpiu-fQbeX9OX9kjv_7G6dLNTMBNE9XBh3kJboMM6kdhKbwyOdCNwc?testcase_id=5475072900071424


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5475072900071424 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.