From findit tool:

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/43862543cb7622a39c6fbc7895ffe03ba5337f54
Time: Fri Apr 29 20:11:56 2016
The CL last changed line 307 of file LayoutBlockFlow.cpp, which is stack frame 0.

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/43862543cb7622a39c6fbc7895ffe03ba5337f54
Time: Fri Apr 29 20:11:56 2016
The CL last changed line 362 of file LayoutBlockFlow.cpp, which is stack frame 1.

Author: mstensho
Project: chromium
Changelist: https://chromium.googlesource.com/chromium/src//+/43862543cb7622a39c6fbc7895ffe03ba5337f54
Time: Fri Apr 29 20:11:56 2016
The CL last changed line 411 of file LayoutBlockFlow.cpp, which is stack frame 2.

Can only reproduce with the unminimized test here.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d7955c040f7907aceb6584a25215570614a8fe83

commit d7955c040f7907aceb6584a25215570614a8fe83
Author: mstensho <mstensho@opera.com>
Date: Mon May 09 22:08:46 2016

Relayout an object that becomes a spanner.

It may be possible to collapse margins through a zero-height regular block, but
if it is turned into a spanner, this is no longer possible, because it then
becomes a BFC root.

An object that becomes a spanner also gets a new containing block, which may
affect its size.

In other words, there are good reasons to make sure that objects that become
spanners get relaid out.

Note that we already had code in place (in willBeRemovedFromTree()) that
scheduled for relayout in the opposite case, i.e. when an object ceased to be a
spanner.

BUG= 610033 

Review-Url: https://codereview.chromium.org/1962623002
Cr-Commit-Position: refs/heads/master@{#392438}

[add] https://crrev.com/d7955c040f7907aceb6584a25215570614a8fe83/third_party/WebKit/LayoutTests/fast/multicol/span/becomes-empty-spanner-crash-expected.txt
[add] https://crrev.com/d7955c040f7907aceb6584a25215570614a8fe83/third_party/WebKit/LayoutTests/fast/multicol/span/becomes-empty-spanner-crash.html
[add] https://crrev.com/d7955c040f7907aceb6584a25215570614a8fe83/third_party/WebKit/LayoutTests/fast/multicol/span/becomes-spanner-with-new-width-expected.txt
[add] https://crrev.com/d7955c040f7907aceb6584a25215570614a8fe83/third_party/WebKit/LayoutTests/fast/multicol/span/becomes-spanner-with-new-width.html
[modify] https://crrev.com/d7955c040f7907aceb6584a25215570614a8fe83/third_party/WebKit/Source/core/layout/LayoutMultiColumnSpannerPlaceholder.cpp
[modify] https://crrev.com/d7955c040f7907aceb6584a25215570614a8fe83/third_party/WebKit/Source/core/layout/LayoutMultiColumnSpannerPlaceholder.h

ClusterFuzz has detected this issue as fixed in range 392426:392516.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5140197615861760

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  ASSERTION FAILED: !m_isSelfCollapsing == !checkIfIsSelfCollapsingBlock()
  blink::LayoutBlockFlow::isSelfCollapsingBlock
  blink::LayoutBlockFlow::checkIfIsSelfCollapsingBlock
  
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=392426:392516

Minimized Testcase (0.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95VQG_hIlSW19_qOGUhCKqz_uSsJAFcxreka3Mvix1NBcK_6YHe9uh7cSmk0KRbkppJXvfB0_hFnWrNOTRzIEPZWw5pBuSKEQI8jSQsE7r6rqETNHbeu3jHH6RDW6_cq6fQCmUk4fesCm7FEdNB1d-ZloCKQQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Clusterfuzz has detected the issue again, hence re-opening the same and will do a Redo-Fix if its flaky.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5268502407806976

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !m_isSelfCollapsing == !checkIfIsSelfCollapsingBlock()
  blink::LayoutBlockFlow::isSelfCollapsingBlock
  blink::LayoutBlockFlow::checkIfIsSelfCollapsingBlock
  

Minimized Testcase (3.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97NQNRDcK9TYZ0quEK_HcYPfs-_fPACjPZz2PSWXX1aZspjzOcmhUirNqNa81GG3qT9OmSeWjlli7bAMtV7T9y0Z014U22-zqzASnKMmLEHU-5D35Q9jKtmpvOIld8Sm_Ke1gRmfzQLDpYht76y46aT6gallg

Filer: durga.behera

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 409223:409418.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5268502407806976

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: ASSERT
Crash Address: 
Crash State:
  !m_isSelfCollapsing == !checkIfIsSelfCollapsingBlock()
  blink::LayoutBlockFlow::isSelfCollapsingBlock
  blink::LayoutBlockFlow::checkIfIsSelfCollapsingBlock
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=398822:398852
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=409223:409418

Minimized Testcase (3.29 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97NQNRDcK9TYZ0quEK_HcYPfs-_fPACjPZz2PSWXX1aZspjzOcmhUirNqNa81GG3qT9OmSeWjlli7bAMtV7T9y0Z014U22-zqzASnKMmLEHU-5D35Q9jKtmpvOIld8Sm_Ke1gRmfzQLDpYht76y46aT6gallg?testcase_id=5268502407806976

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot