Predator and CL could not provide any possible suspects.
Using the code search for the file, “CompositeEditCommand.cpp” assigning to concern owner from GIT blame.
Suspecting Commit#https://chromium.googlesource.com/chromium/src/+/b9b2767247a5ee13eedee9977fd02a788dc264c6

Since author is not a chromium member and reviewer yosin@ is OOO: Dec 11 to Jan 8, hence adding appropriate component and untriaging this issue. 

Could someone from dev team will look into this issue.


Thank You.

Lowering to P3 due to low usage of FormatBlock command

A DCHECK is hit before running into the null deref:

[1:1:1218/141627.839173:FATAL:EditingUtilities.cpp(291)] Check failed: a.IsNotNull(). 
#0 0x7ff9f619b7bd base::debug::StackTrace::StackTrace()
#1 0x7ff9f6199bfc base::debug::StackTrace::StackTrace()
#2 0x7ff9f6220b9a logging::LogMessage::~LogMessage()
#3 0x7ff9ed76c1c7 blink::ComparePositions()
#4 0x7ff9ed80f347 blink::CompositeEditCommand::MoveParagraphWithClones()
#5 0x7ff9ed829d35 blink::FormatBlockCommand::FormatRange()
#6 0x7ff9ed7f3d3a blink::ApplyBlockElementCommand::FormatSelection()
#7 0x7ff9ed829628 blink::FormatBlockCommand::FormatSelection()
#8 0x7ff9ed7f3481 blink::ApplyBlockElementCommand::DoApply()
#9 0x7ff9ed807be9 blink::CompositeEditCommand::Apply()
#10 0x7ff9ed821ff7 blink::ExecuteFormatBlock()

Minimum repro:

<style>
.c8 {
  display: inline-block;
}

.c8:nth-child(2) {
  display: table-column-group;
}
</style>
<li class=c8><input style='display: inline-block'><q></q></li>
<canvas style="width: 483px; height: 681px"></canvas>
<script>
document.designMode='on';
document.execCommand('selectall');
document.execCommand('FormatBlock', false, '<pre>');
</script>

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/6483075f1938db1d02f4bb4ac09c7006442801ce

commit 6483075f1938db1d02f4bb4ac09c7006442801ce
Author: tanvir.rizvi <tanvir.rizvi@samsung.com>
Date: Fri Dec 22 05:12:51 2017

Fix a crash in FormatBlock with Nth child style.

FormatBlock execution crashes if command is
applied with unusual HTML content like,
applying style on the nth-child(even) with canvas
element embedded.
Crash happens when format block tries to
MOveParagraphWithClones, but the calculated
VisiblePosition comes as nill.
Prevention mechanism is added to avoid this crash.

Bug:  795280 
Change-Id: I8b55568799d9cb426326ef3f681827b0987373c8
Reviewed-on: https://chromium-review.googlesource.com/833818
Reviewed-by: Xiaocheng Hu <xiaochengh@chromium.org>
Commit-Queue: Tanvir Rizvi <tanvir.rizvi@samsung.com>
Cr-Commit-Position: refs/heads/master@{#525937}
[add] https://crrev.com/6483075f1938db1d02f4bb4ac09c7006442801ce/third_party/WebKit/LayoutTests/editing/execCommand/format_block/format_block_with_nth_child_crash.html
[modify] https://crrev.com/6483075f1938db1d02f4bb4ac09c7006442801ce/third_party/WebKit/Source/core/editing/commands/FormatBlockCommand.cpp

ClusterFuzz has detected this issue as fixed in range 525923:525937.

Detailed report: https://clusterfuzz.com/testcase?key=4836945443422208

Fuzzer: miaubiz_css_fuzzer
Job Type: linux_cfi_chrome
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000010
Crash State:
  chrome
  blink::Node::IsDescendantOf
  blink::CompositeEditCommand::CloneParagraphUnderNewElement
  
Sanitizer: cfi (CFI)

Regressed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=523197:523221
Fixed: https://clusterfuzz.com/revisions?job=linux_cfi_chrome&range=525923:525937

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4836945443422208

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4836945443422208 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.