This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Looks like regression from https://chromium.googlesource.com/chromium/src/+/3453e2368a018544e7143e60afbc7a1454e848ed

Can anyone else reproduce this? Unable to do so here on an asan build.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2578cf94297437a2e23b9a15cf5ba8c1f0b4becb

commit 2578cf94297437a2e23b9a15cf5ba8c1f0b4becb
Author: robhogan <robhogan@gmail.com>
Date: Wed Oct 26 21:28:16 2016

Clear floats when we make a ruby base's children inline

BUG= 658584 

Review-Url: https://codereview.chromium.org/2452993002
Cr-Commit-Position: refs/heads/master@{#427807}

[add] https://crrev.com/2578cf94297437a2e23b9a15cf5ba8c1f0b4becb/third_party/WebKit/LayoutTests/fast/block/float/rubybase-children-made-inline-crash-expected.txt
[add] https://crrev.com/2578cf94297437a2e23b9a15cf5ba8c1f0b4becb/third_party/WebKit/LayoutTests/fast/block/float/rubybase-children-made-inline-crash.html
[modify] https://crrev.com/2578cf94297437a2e23b9a15cf5ba8c1f0b4becb/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp

ClusterFuzz has detected this issue as fixed in range 427578:427987.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5131477676457984

Fuzzer: bj_broddelwerk
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x611000054ba0
Crash State:
  blink::LayoutBlockFlow::moveAllChildrenIncludingFloatsTo
  blink::LayoutRubyBase::moveChildren
  blink::LayoutRubyRun::removeChild
  
Recommended Security Severity: High

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=424757:424939
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=427578:427987

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96pa9u23htgHhfiYJHKSbaGfYwWrsQ439T4a1TNXDjz5t4pbJQHxjzCLUdyJ-d9UbrUSz72j619n-60taTVaHmsP3qJoZU-XwgjH90CmBwYwVN1Fob2f-dZuvI6Ww91SlZYzsDZur9rRl87Xn7PEqwPte47ewznqdAWMzM77rbXuQD2dZI?testcase_id=5131477676457984


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M55 (branch: 2883)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8f9c2d54a055b4f126dffdbc4f2cc063efdb10a3

commit 8f9c2d54a055b4f126dffdbc4f2cc063efdb10a3
Author: Robert Hogan <robhogan@gmail.com>
Date: Fri Oct 28 18:36:01 2016

Clear floats when we make a ruby base's children inline

BUG= 658584 

Review-Url: https://codereview.chromium.org/2452993002
Cr-Commit-Position: refs/heads/master@{#427807}
(cherry picked from commit 2578cf94297437a2e23b9a15cf5ba8c1f0b4becb)

Review URL: https://codereview.chromium.org/2458143002 .

Cr-Commit-Position: refs/branch-heads/2883@{#359}
Cr-Branched-From: 614d31daee2f61b0180df403a8ad43f20b9f6dd7-refs/heads/master@{#423768}

[add] https://crrev.com/8f9c2d54a055b4f126dffdbc4f2cc063efdb10a3/third_party/WebKit/LayoutTests/fast/block/float/rubybase-children-made-inline-crash-expected.txt
[add] https://crrev.com/8f9c2d54a055b4f126dffdbc4f2cc063efdb10a3/third_party/WebKit/LayoutTests/fast/block/float/rubybase-children-made-inline-crash.html
[modify] https://crrev.com/8f9c2d54a055b4f126dffdbc4f2cc063efdb10a3/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot