Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: yosin
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/2211504ac2b999a125b2215ce7f6be9e50878fea
Time: Thu Mar 02 12:28:15 2017
Lines 2903 of file VisibleUnits.cpp which potentially caused crash are changed in this cl (frame #6, "chrome_child!blink::mostBackwardCaretPosition >+0xa8"). 

File PositionIterator.cpp is changed in this cl (and is part of stack frame #4, "chrome_child!blink::PositionIteratorAlgorithm >::PositionIteratorAlgorithm >+0x16"; frame #5, "chrome_child!blink::PositionIteratorAlgorithm >::PositionIteratorAlgorithm >+0x1a")
Minimum distance from crash line to modified line: 0. (file: VisibleUnits.cpp, crashed on: 2903, modified: 2903).

@yosin -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

This looks like a gimme, null deref.

Seems to be a dup as  issue 702756 : canonicalizing a PositionInFlatTree of type AfterAnchor anchored at a child node of a shadow host.

I think we should land the fix in crrev.com/2772233002.

Lower to Pri-2, since this issue caused by unusual HTML.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0cbb9fc2999813a837b8ee0483f77e3879cc25e0

commit 0cbb9fc2999813a837b8ee0483f77e3879cc25e0
Author: xiaochengh <xiaochengh@chromium.org>
Date: Thu Apr 27 15:04:10 2017

Stop flat tree selection canonicalization from using invalid positions

There are some valid DOM positions (*) that do not have corresponding
valid flat tree positions. This patch adds special handling of such
DOM positions, so that when computing VisibleSelectionInFlatTree from
SelectionInDOMTree, such positions are converted to NULL instead of
invalid flat tree positions, so that the renderer does not crash.

(*) If NODE is a direct child of a shadow host but is not distributed
into the flat tree, NODE@BeforeAnchor and NODE@AfterAnchor are valid
Position but invalid PositionInFlatTree. This patch handles these two
kind of positions.

BUG= 702756 ,  709872 ,  712984 
TEST=FrameSelectionTest.SelectInvalidPositionInFlatTreeDoesntCrash

Review-Url: https://codereview.chromium.org/2850443002
Cr-Commit-Position: refs/heads/master@{#467676}

[modify] https://crrev.com/0cbb9fc2999813a837b8ee0483f77e3879cc25e0/third_party/WebKit/Source/core/editing/FrameSelectionTest.cpp
[modify] https://crrev.com/0cbb9fc2999813a837b8ee0483f77e3879cc25e0/third_party/WebKit/Source/core/editing/Position.cpp
[modify] https://crrev.com/0cbb9fc2999813a837b8ee0483f77e3879cc25e0/third_party/WebKit/Source/core/editing/SelectionEditor.cpp

With the fix landed, will redo next week.

ClusterFuzz has detected this issue as fixed in range 456626:457730.

Detailed report: https://clusterfuzz.com/testcase?key=6281372445704192

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: UNKNOWN
Crash Address: 0x0000000b
Crash State:
  blink::FlatTreeTraversal::traverseChild
  blink::FlatTreeTraversal::childAt
  blink::PositionIteratorAlgorithm<blink::EditingAlgorithm<blink::FlatTreeTraversa
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=454233:454289
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=456626:457730

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6281372445704192


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.