Assigning to the concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: yoichio
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/3638f51b033ad950d63f9186f7d0329a4eed48c9
Time: Mon May 22 10:52:02 2017
Lines 952-958, 979 of file FrameSelection.cpp which potentially caused crash are changed in this cl (frame #6, "AbsoluteSelectionBoundsOf"; frame #7, "blink::FrameSelection::RevealSelection"). 

File VisibleUnits.cpp is changed in this cl (and is part of stack frame #3, "ComputeTextBounds >"; frame #4, "ComputeTextRectTemplate >"; frame #5, "blink::ComputeTextRect")
Minimum distance from crash line to modified line: 0. (file: FrameSelection.cpp, crashed on: 977, modified: 977).

@yoichio -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a6a78b205297ad9733dbe8d828dcc43cfad7667e

commit a6a78b205297ad9733dbe8d828dcc43cfad7667e
Author: yoichio <yoichio@chromium.org>
Date: Mon Jul 10 09:21:40 2017

Use Layoutselection::SelectionBounds() in RevealSelection()

Before this patch, we use VisibleUnit::ComputeTextRect() to compute
 a rect to scroll.
However, ComputeTextRect() calls InlineTextBox::LocalSelectionRect() which
 depends on InlineTextBox current SelectionState.
To avoid that, update SeletionState and get a rect directly from
 LayoutSelection::SelectionBounds().

BUG= 739062 ,  740401 
TEST=LayoutTests/editing/input/scroll-with-tab-to-input-regression.html

Review-Url: https://codereview.chromium.org/2979513002
Cr-Commit-Position: refs/heads/master@{#485214}

[modify] https://crrev.com/a6a78b205297ad9733dbe8d828dcc43cfad7667e/third_party/WebKit/Source/core/editing/FrameSelection.cpp
[modify] https://crrev.com/a6a78b205297ad9733dbe8d828dcc43cfad7667e/third_party/WebKit/Source/core/editing/FrameSelection.h

 Issue 735853  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 485213:485241.

Detailed report: https://clusterfuzz.com/testcase?key=4752983492657152

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_lsan_chrome_mp
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  GetFlag
  HasRareData
  GetLayoutObject
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=473419:473579
Fixed: https://clusterfuzz.com/revisions?job=linux_lsan_chrome_mp&range=485213:485241

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4752983492657152


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Issue 740868 has been merged into this issue.

ClusterFuzz testcase 5804677278203904 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.