I have a CL in review for 598722. 

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6227374596685824

Fuzzer: bj_broddelwerk
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Heap-use-after-free READ 4
Crash Address: 0x15f7be0f
Crash State:
  blink::LayoutObject::isAnonymousBlock
  blink::LayoutListItem::updateMarkerLocation
  blink::LayoutListItem::subtreeDidChange
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_syzyasan_chrome&range=381899:383055

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95VBQEzSJrfUUS11wOuvMCY1pJqsnYIEIHT-dV2g8-UH4SU-Mj0D0bWeyvRgq0wp431l9LcX3U5iAxrGbIYqESQmJBpTYTZ4MGwXi56ozIbfSOO7O1j3Zqw5Iw-n9DB2RTiqj0nMvlWG6n7UlLb4hJLkq4pjg
<style>
*{display:list-item;}
.CLASS9{vertical-align:text-bottom;-webkit-appearance:listbox;</style>
<ruby class="CLASS9">
<object>
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot