Predator and CL could not provide any possible suspects.
Using Code Search for the file, "EditingUtilities.cpp", assigning to concern owner.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/04e1ad2b5a4a93f5ad8a4c1b1c26df6a3da8b849

@yosin -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Lower to Pri-3 since real world usage of "bold" command with unusual HTML is low.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/chromium/src/+/50d430c5d7fc3761fc3c6bdef7f215511d8a3514 (Editing: EditingState should work in production.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Simplified case: 
<script>
document.designMode = "on"; 
function eventhandler1() {
 dv.innerText = ""; 
}
function eventhandler() { 
 document.designMode = "on";
 document.execCommand("selectAll"); 
 document.execCommand("bold");
 window[0].onpagehide = eventhandler1; 
}
</script>
<body> 
<p id="dv">
<iframe onload="eventhandler()">
</body>

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/58787ec6ed01ef61856d181537d9a57a6fdaf64e

commit 58787ec6ed01ef61856d181537d9a57a6fdaf64e
Author: tanvir.rizvi <tanvir.rizvi@samsung.com>
Date: Wed Jan 31 07:30:06 2018

Crash in CompositeEditCommand::InsertNodeBefore

InsertNodeBefore crashes if the passed ref_child
is disconnected.

Bug:  755808 
Change-Id: I4c07836b6d0f055f2cdfd8f94c326fcaaf03d6ca
Reviewed-on: https://chromium-review.googlesource.com/893243
Reviewed-by: Yoshifumi Inoue <yosin@chromium.org>
Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com>
Cr-Commit-Position: refs/heads/master@{#533222}
[modify] https://crrev.com/58787ec6ed01ef61856d181537d9a57a6fdaf64e/third_party/WebKit/Source/core/editing/commands/CompositeEditCommand.cpp
[modify] https://crrev.com/58787ec6ed01ef61856d181537d9a57a6fdaf64e/third_party/WebKit/Source/core/editing/commands/CompositeEditCommandTest.cpp

ClusterFuzz has detected this issue as fixed in range 533215:533236.

Detailed report: https://clusterfuzz.com/testcase?key=6668679180976128

Fuzzer: ifratric-browserfuzzer-v3
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000020
Crash State:
  blink::HasEditableStyle
  blink::CompositeEditCommand::InsertNodeBefore
  blink::RemoveNodePreservingChildrenCommand::DoApply
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=375134:375143
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=533215:533236

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6668679180976128

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6668679180976128 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.