This bug has been found by ClusterFuzz by several times.

Opening a dedicated bug here, since CF auto-closes old bugs.

See the bugs blocked by this one for detailed repros.

Also copying comments from  issue 772718 :

Copying comments from there:

"...we ended up with an invalid FrameSelection. It crashes when IdleSpellCheckCallback::HotModeInvocation() is called on that invalid FrameSelection."

"IdleSpellCheckCallback can't be called on detached frame, since it's already a DocumentShutdownObserver.

I suspect that SelectionEditor failed to relocate SelectionInDOMTree, as when spellchecker was checking GetFrame().Selection().GetSelectionInDOMTree().Extent(), it got a text-anchored position with an out-of-bound offset, and hence, hitting a DCHECK"