Predator and CL could not provide any possible suspects.

Using Code Search for the file, "core/dom/element.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/90351b8f23ad3c9195d54e741747a85d95755987

futhark@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

No, this issue is older than that change.

https://chromium-review.googlesource.com/c/chromium/src/+/1152982

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/62649b86ee5c9165c05e06f121b61eee33c45e16

commit 62649b86ee5c9165c05e06f121b61eee33c45e16
Author: Rune Lillesveen <futhark@chromium.org>
Date: Mon Jul 30 07:54:45 2018

Find LayoutText containing the first letter before attaching pseudo.

We assert that we find the same text node before creating the element as
we find when attaching the first letter LayoutText. We used to attach
the ::first-letter pseudo element before finding the LayoutText from
which we get the first letter text.

We did crash in a clusterfuzz test because FirstLetterTextLayoutObject()
was confused by a combination of a grid, button, anonymous
wrappers and continuations. Instead of trying to fix all bugs in
FirstLetterTextLayoutObject(), find the LayoutText before attaching the
::first-letter to make sure we are consistent instead of chasing
clusterfuzz issues.

Reported the incorrectness for button, grid, and ::first-letter in
868380.

Bug:  859285 , 868380
Change-Id: I335a32b466ab31858fb05ea5f650cf12ab674040
Reviewed-on: https://chromium-review.googlesource.com/1152982
Reviewed-by: Koji Ishii <kojii@chromium.org>
Commit-Queue: Rune Lillesveen <futhark@chromium.org>
Cr-Commit-Position: refs/heads/master@{#578993}
[modify] https://crrev.com/62649b86ee5c9165c05e06f121b61eee33c45e16/third_party/WebKit/LayoutTests/TestExpectations
[add] https://crrev.com/62649b86ee5c9165c05e06f121b61eee33c45e16/third_party/WebKit/LayoutTests/external/wpt/css/css-grid/grid-model/grid-container-ignores-first-letter-002-ref.html
[add] https://crrev.com/62649b86ee5c9165c05e06f121b61eee33c45e16/third_party/WebKit/LayoutTests/external/wpt/css/css-grid/grid-model/grid-container-ignores-first-letter-002.html
[modify] https://crrev.com/62649b86ee5c9165c05e06f121b61eee33c45e16/third_party/blink/renderer/core/dom/first_letter_pseudo_element.cc
[modify] https://crrev.com/62649b86ee5c9165c05e06f121b61eee33c45e16/third_party/blink/renderer/core/dom/first_letter_pseudo_element.h

ClusterFuzz has detected this issue as fixed in range 578992:578993.

Detailed report: https://clusterfuzz.com/testcase?key=6118136915689472

Fuzzer: ifratric-browserfuzzer-v3
Job Type: windows_asan_chrome_no_sandbox
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::FirstLetterPseudoElement::AttachFirstLetterTextLayoutObjects
  blink::Element::AttachLayoutTree
  blink::HTMLFormControlElement::AttachLayoutTree
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome_no_sandbox&range=578992:578993

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6118136915689472

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6118136915689472 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.