Assigning to concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: rego
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/03bd67fe0ded2c7031eb1c3efb39150056737492
Time: Thu Feb 02 08:40:23 2017
Lines 807-815 of file SpellChecker.cpp which potentially caused crash are changed in this cl (frame #6, "RemoveSpellingAndGrammarMarkers").
Minimum distance from crash line to modified line: 0. (file: SpellChecker.cpp, crashed on: 807, modified: 807).

@rego -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

This can be a duplicated of  bug #688218 , but I never managed to reproduce it so I don't know.

Regarding this new bug report I cannot reproduce this issue on Linux. I'll try to find some time to test it on Mac too.
I guess using a pre-built binary from https://commondatastorage.googleapis.com/chromium-browser-asan/index.html
should be valid to reproduce the problem.
Am I missing something?

Can repro on Linux with content_shell and --run-layout-test flag.

The crash is due to tampering the id of the inner editor of an INPUT, making TextControlElement::InnerEditorElement() return null, resulting a nullptr deref.

I don't think this is really a bug -- only TestRunner has the power to tamper a UA shadom DOM with JavaScript, and any code using TestRunner is considered testing code.

Can we stop ClusterFuzz from generating incorrect testing code?

Thanks @xiaochengh I can reproduce it now with "--run-layout-test" too.

I'm attaching a reduced test case, but the issue is basically what @xiaochengh described. So I guess we can close this as "Won't Fix".

Deleted: bug-714421-reduced.html 212 bytes

bug-714421-reduced.html 212 bytes View Download

ClusterFuzz has detected this issue as fixed in range 474922:474938.

Detailed report: https://clusterfuzz.com/testcase?key=5056727658790912

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  blink::Node::CanParticipateInFlatTree
  blink::Document::NeedsLayoutTreeUpdateForNode
  blink::Document::UpdateStyleAndLayoutTreeForNode
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=447544:447851
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=474922:474938

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5056727658790912


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.