Assigning to concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/2211504ac2b999a125b2215ce7f6be9e50878fea
Time: Thu Mar 02 12:28:15 2017
Files PositionIterator.cpp, VisibleUnits.cpp are changed in this cl (and is part of stack frame #3, "blink::PositionIteratorAlgorithm >::PositionIteratorAlgorithm")
Minimum distance from crash line to modified line: 4. (file: PositionIterator.cpp, crashed on: 59, modified: 63).

@yosin -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Lower to Pri-2, since this issue caused by unusual HTML.

Minimized repro:

<!doctype html>
<div contenteditable>
  <h6>
    <button id=button><table></table></button>
  </h6>
  <object id=object></object>
</div>
<script>
getSelection().setBaseAndExtent(button, 0, object, 0);
document.execCommand('indent');
</script>

Check failed: position_with_affinity.IsConnected(). BUTTON@offsetInAnchor[0]/TextAffinity::Downstream

In review: https://codereview.chromium.org/2850773003

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a4e8fc5aeabab79dd84a7ced4b7c433a428864a5

commit a4e8fc5aeabab79dd84a7ced4b7c433a428864a5
Author: xiaochengh <xiaochengh@chromium.org>
Date: Mon May 01 04:11:13 2017

Use RelocatablePosition in CompositeEditCommand::MoveParagraphWithClones

Clusterfuzz found a sample where
CompositeEditCommand::MoveParagraphWithClones() moves |before_paragraph|
out of the DOM tree after moving the paragraph. This patch uses
RelocatablePosition to track |before_paragraph| and |after_paragraph| so
that the positions we track are always connected.

Note: CompositeEditCommand::MoveParagraphs() is already using
RelocatablePosition to track positions before and after the moved
paragraphs.

BUG= 712510 
TEST=ApplyBlockElementCommandTest.IndentHeadingIntoBlockquote

Review-Url: https://codereview.chromium.org/2850773003
Cr-Commit-Position: refs/heads/master@{#468278}

[modify] https://crrev.com/a4e8fc5aeabab79dd84a7ced4b7c433a428864a5/third_party/WebKit/Source/core/editing/commands/ApplyBlockElementCommandTest.cpp
[modify] https://crrev.com/a4e8fc5aeabab79dd84a7ced4b7c433a428864a5/third_party/WebKit/Source/core/editing/commands/CompositeEditCommand.cpp

ClusterFuzz has detected this issue as fixed in range 468274:468284.

Detailed report: https://clusterfuzz.com/testcase?key=4581607202881536

Fuzzer: bj_broddelwerk
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: UNKNOWN READ
Crash Address: 0x000000000010
Crash State:
  blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::NodeTraversal> >
  blink::MostBackwardCaretPosition
  blink::CanonicalPositionOf
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=454233:454289
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=468274:468284

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4581607202881536


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4581607202881536 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.