Predator and CL could not provide any possible suspects.
Using Code Search for the file, "InsertParagraphSeparatorCommand.cpp" assigning to the concern review owner.

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/b16aed1566bfb2f42cad30f3d58c8c300bbd6ac5

@xiaocheng -- Could you please look into the issue, kindly re-assign if this has nothing to do with your changes.
Thank You.

Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

The NextAction date has arrived: 2017-10-02

Minimized repro:

<html style="user-select:none">
<table contenteditable></table>
<script>
  document.querySelector('table').innerHTML = '<h1>foo</h1><img>bar';
  let bar = document.querySelector('img').nextSibling;
  getSelection().collapse(bar, 3);
  document.execCommand('insertParagraph');
</script>

Crashes when 'insertParagraph' with ill-formed DOM:

BODY
	TABLE (editable) (focused)
		H1 (editable)
			#text "foo"
		IMG (editable)
BE		#text "bar"
base: offsetInAnchor[3]
extent: offsetInAnchor[3]

Lowering to Pri-3 since the bug repros only with ill-formed DOM tree, in which case a null-deref isn't very harmful.

The crash reason is that, at L469 of InsertParagraphSeparatorCommand.cpp, |insert_position| is unexpectedly null. The edit command should abort here before calling EditingIgnoresContent(*insertion_position.AnchorNode()).

Routing back to editing team to create the patch as I'm working on something else...

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/886107a6b1911f6df1054f1041207a5a6368b018

commit 886107a6b1911f6df1054f1041207a5a6368b018
Author: tanvir.rizvi <tanvir.rizvi@samsung.com>
Date: Mon Oct 09 15:32:46 2017

InsertParagraph command crashes with illformed tree

On a user-select:none container, InsertParagraph on
a non selectable element like <img> boundary causes
crash as canonicalized position for this comes as null.
This CL does a safety check for the visible position
to avoid the crash.

Bug:  765718 
Change-Id: Ifb9575396e91d46fdf9841a9568df4462e914f2c
Reviewed-on: https://chromium-review.googlesource.com/704496
Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com>
Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#507380}
[add] https://crrev.com/886107a6b1911f6df1054f1041207a5a6368b018/third_party/WebKit/LayoutTests/editing/inserting/insertparagraph-seperator-on-non-selectable-node.html
[modify] https://crrev.com/886107a6b1911f6df1054f1041207a5a6368b018/third_party/WebKit/Source/core/editing/commands/InsertParagraphSeparatorCommand.cpp

ClusterFuzz has detected this issue as fixed in range 507375:507388.

Detailed report: https://clusterfuzz.com/testcase?key=6112190984880128

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000000
Crash State:
  blink::EditingIgnoresContent
  blink::InsertParagraphSeparatorCommand::DoApply
  blink::CompositeEditCommand::ApplyCommandToComposite
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=456190:456233
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=507375:507388

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6112190984880128

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6112190984880128 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.