Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/2211504ac2b999a125b2215ce7f6be9e50878fea
Time: Thu Mar 02 12:28:15 2017
Lines 63-64 of file PositionIterator.cpp which potentially caused crash are changed in this cl (frame #6, "blink::PositionIteratorAlgorithm >::PositionIteratorAlgorithm").
Minimum distance from crash line to modified line: 0. (file: PositionIterator.cpp, crashed on: 64, modified: 64).

@yosin -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Here is minimized HTML:

<input>
<script>
document.execCommand('selectAll'); 
getSelection().modify('extend', 'forward', 'sentence');
document.body.createShadowRoot();
</script>

Lower to Pri-2, since real world usage of Selection#modify() with 'sentence' is low.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0cbb9fc2999813a837b8ee0483f77e3879cc25e0

commit 0cbb9fc2999813a837b8ee0483f77e3879cc25e0
Author: xiaochengh <xiaochengh@chromium.org>
Date: Thu Apr 27 15:04:10 2017

Stop flat tree selection canonicalization from using invalid positions

There are some valid DOM positions (*) that do not have corresponding
valid flat tree positions. This patch adds special handling of such
DOM positions, so that when computing VisibleSelectionInFlatTree from
SelectionInDOMTree, such positions are converted to NULL instead of
invalid flat tree positions, so that the renderer does not crash.

(*) If NODE is a direct child of a shadow host but is not distributed
into the flat tree, NODE@BeforeAnchor and NODE@AfterAnchor are valid
Position but invalid PositionInFlatTree. This patch handles these two
kind of positions.

BUG= 702756 ,  709872 ,  712984 
TEST=FrameSelectionTest.SelectInvalidPositionInFlatTreeDoesntCrash

Review-Url: https://codereview.chromium.org/2850443002
Cr-Commit-Position: refs/heads/master@{#467676}

[modify] https://crrev.com/0cbb9fc2999813a837b8ee0483f77e3879cc25e0/third_party/WebKit/Source/core/editing/FrameSelectionTest.cpp
[modify] https://crrev.com/0cbb9fc2999813a837b8ee0483f77e3879cc25e0/third_party/WebKit/Source/core/editing/Position.cpp
[modify] https://crrev.com/0cbb9fc2999813a837b8ee0483f77e3879cc25e0/third_party/WebKit/Source/core/editing/SelectionEditor.cpp

With the fix landed, will redo next week.

ClusterFuzz has detected this issue as fixed in range 467672:467685.

Detailed report: https://clusterfuzz.com/testcase?key=5001552394977280

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::FlatTreeTraversal::TraverseChild
  blink::FlatTreeTraversal::ChildAt
  blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversa
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=454233:454289
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=467672:467685

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5001552394977280


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Mark Fixed according to #c5 and #c6