Predator and CL could not provide any possible suspects.

Using Code Search for the file, "replace_selection_command.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/1a9a57460a35f8cc7d1897aea94ab7c290504554

Since author is not a chromium member, assigning it to the reviewer

rjwright@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

Minimized repro:

<style>
div::before { content: 'foo' }
</style>
<div contenteditable id="test">
<blockquote type="cite">line 1</blockquote>
</div>
<script>
window.getSelection().collapse(document.getElementById('test').firstChild);
document.execCommand('InsertHTML');
</script>

Note: the linebreak between <div> and <blockquote> is necessary

Crash recap:

1. Since selection is blockquote, in ReplaceSelectionCommand runs BreakBlockQuoteCommand, which adds placeholder <br> before blockquote. DOM tree becomes

<div contenteditable id="test">
<br>
<blockquote type="cite">line 1</blockquote>
</div>

2. With div::before content, the linebreak text node after <div> is incorrectly turned into a non-collapsed (i.e., rendered) whitespace, which is a long-standing existing bug in inline layout (crbug.com/40634).

3. Now that the ending selection is at BR@0, ReplaceSelectionCommand tries to find the inserted placeholder as EndingVisibleSelection().Start().AnchorNode(), which is however at the text node before <br> -- DCHECK hit.

Quick fix: abort ReplaceSelectionCommand when it fails to find the placeholder BR.

Sane fix: allow BreakBlockquoteCommand to pass the inserted placeholder to its caller.

Changed to P2/Available since this seems to be a very rare case. Will revisit later.

ClusterFuzz has detected this issue as fixed in range 572991:572992.

Detailed report: https://clusterfuzz.com/testcase?key=5399463389298688

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IsHTMLBRElement(br). #text "\u00A0 \u00A0\u00A0 in replace_selection_command.cc
  blink::ReplaceSelectionCommand::DoApply
  blink::CompositeEditCommand::Apply
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=572991:572992

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5399463389298688

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5399463389298688 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The NextAction date has arrived: 2018-07-09