looks like regression from paint containment patch - https://chromium.googlesource.com/chromium/src/+/472398196d9109be16d13f3af4e8c423ce45d2e3

Damn LayoutTableRow->LayoutBox hierarchy.

It's an easy fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2372314a1313820af17c53f2f5b32bfba65362bc

commit 2372314a1313820af17c53f2f5b32bfba65362bc
Author: leviw <leviw@chromium.org>
Date: Tue Apr 05 01:53:25 2016

Ignore paint containment when considering fixed-position table-row containers

Use the same logic as we use for transform-related properties, namely: don't consider
things that aren't LayoutBlocks.

TEST=fast/css/containment/paint-contained-tablerow-with-fixed-children.html
BUG= 599627 
R=eae@chromium.org

Review URL: https://codereview.chromium.org/1858953002

Cr-Commit-Position: refs/heads/master@{#385082}

[add] https://crrev.com/2372314a1313820af17c53f2f5b32bfba65362bc/third_party/WebKit/LayoutTests/fast/css/containment/paint-contained-tablerow-with-fixed-children-expected.txt
[add] https://crrev.com/2372314a1313820af17c53f2f5b32bfba65362bc/third_party/WebKit/LayoutTests/fast/css/containment/paint-contained-tablerow-with-fixed-children.html
[modify] https://crrev.com/2372314a1313820af17c53f2f5b32bfba65362bc/third_party/WebKit/Source/core/layout/LayoutObject.h

This shouldn't need a merge, as containment is currently behind a flag.

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Requested label.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz

ClusterFuzz has detected this issue as fixed in range 385072:385104.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5551561962422272

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_ubsan_vptr_content_shell_drt
Platform Id: linux

Crash Type: Bad-cast
Crash Address: 0x2e8d2040c180
Crash State:
  Bad-cast to blink::LayoutBlock from blink::LayoutTableRow
  LayoutBlock.h:515:1
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=365132:365219
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_ubsan_vptr_content_shell_drt&range=385072:385104

Minimized Testcase (0.24 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96AlTfNgHvCLETSpvpj7r2fGBDl8dA-0ck8Bz57_c29SNQPF8k-iIyn0xidj1dJ77sWWqo0VTy3_xurVd0wM3y650vZPY_3NrqpP9o1ktWkxpEaOXMOW_rwJNA8zH6h7s3c6Fpfcl31Cfw1R-rUP3L5jq86EQ
<style>
   .container {
    contain: paint;
}
.fixed {
    position: fixed;
  </style>
 <body onload="__f_1();" class="container">
   <div class="fixed"</script>
<script>
 document.styleSheets[0].cssRules[0].style.display = 'table-row'; 
</script>


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Already in M51 - no merge required.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot