Assigned to concern owner from Predator results --
The result is a list of CLs that change the crashed files. 

Author: Kent Tamura
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src/+/5f5c0dba3c72ae92899db2b355ca36c9da7b49fb
Time: Tue Jun 06 06:40:20 2017
File ContainerNode.cpp is changed in this cl (and is part of stack frame #1, "blink::ContainerNode::NotifyNodeInsertedInternal"; frame #2, "blink::ContainerNode::InsertNodeVector"; frame #3, "blink::ContainerNode::InsertBefore")
Minimum distance from crash line to modified line: 19. (file: ContainerNode.cpp, crashed on: 309, modified: 328).

@tkent -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

I don't think I made this crash, but it seems I'm the best person to fix this.

Minimum repro:

<html>
<body>
<div>
<p id="tCF8">bar</p>
<span id="test-title">title</span>
</div>
</body><script>
function Z(i) { return document.getElementById(i) }
var tCF8 = Z("tCF8");
var test_title = Z("test-title");

function tCF_custom_1() {
  var doc = document.implementation.createDocument("http://www.w3.org/1999/xhtml", "html");
  doc.adoptNode(tCF8);
  tCF8.appendChild(test_title);
}

onload = function() {
  tCF8.addEventListener("DOMSubtreeModified", tCF_custom_1, false);
  tCF8.textContent = "foo";
};
</script>
</html>

I found this was a regression caused by my CL :(

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/75667f001d7cca75d790bbb1b8b0c0132fe724e9

commit 75667f001d7cca75d790bbb1b8b0c0132fe724e9
Author: Kent Tamura <tkent@chromium.org>
Date: Tue Jul 11 08:08:26 2017

Fix a crash in ContainerNode::InsertNodeVector().

DOMTreeMutationDetector missed to find unexpected DOM tree mutation if |parent|
node is adopted to another Document during a watched operation. This CL fixes it.

Bug:  740410 
Change-Id: I7b4d2c4c525e10e0d6b19229c27b5d1ce077a271
Reviewed-on: https://chromium-review.googlesource.com/566267
Reviewed-by: Hayato Ito <hayato@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#485551}
[add] https://crrev.com/75667f001d7cca75d790bbb1b8b0c0132fe724e9/third_party/WebKit/LayoutTests/dom/node/append_child_recurse_crash.html
[modify] https://crrev.com/75667f001d7cca75d790bbb1b8b0c0132fe724e9/third_party/WebKit/Source/core/dom/ContainerNode.cpp

ClusterFuzz has detected this issue as fixed in range 485537:485567.

Detailed report: https://clusterfuzz.com/testcase?key=5432688373923840

Fuzzer: inferno_twister_c
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000009
Crash State:
  blink::Element::InsertedInto
  blink::ContainerNode::NotifyNodeInsertedInternal
  blink::ContainerNode::InsertNodeVector<blink::ContainerNode::AdoptAndInsertBefor
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=477160:477401
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=485537:485567

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5432688373923840


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.