Assigning to the concern owner from CL --
https://chromium.googlesource.com/chromium/src/+log/389a8b2996d01fa8ee4059cb5614434029af9380..aae520affa1d2c4397bf4d4758a9ff48d5a0cc88?pretty=fuller

Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/d19d51259c048132deb253a9d7441b40eceb55e9

@mstensho -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

This happens because we try to lay out an inner multicol without starting layout of the outer multicol container first. This is driven by FrameView::layoutOrthogonalWritingModeRoots(), which jumps directly to any object in the tree that establishes an orthogonal writing mode and lays it out right away.

LayoutMultiColumnFlowThread::layoutColumns() has some code to prepare its enclosing multicol container (if any) for layout, and this is obviously problematic if we haven't even entered the enclosing multicol container yet. The assertion failure is easy enough to hack around on the multicol side, but I'd better give it some extra thought. There could be other problems related to laying out an inner multicol without entering its enclosing multicol container(s) first.

Deleted: tc.html 159 bytes

tc.html 159 bytes View Download

Objects that establish writing mode roots are considered strictly unbreakable (for enclosing fragmentation contexts), which means that if they are set on an inner fragmentation context, that should isolate them completely from enclosing fragmentation, apart from taking up space.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/52c98e8a1b2a5100406e2bdd5d4dc2f444e061c5

commit 52c98e8a1b2a5100406e2bdd5d4dc2f444e061c5
Author: mstensho <mstensho@opera.com>
Date: Sat Mar 04 06:10:40 2017

Isolate strictly unbreakable multicol containers that are nested.

A strictly unbreakable object (i.e. when getPaginationBreakability() ==
ForbidBreaks) has no valid break points inside. This is the case for e.g.
images, writing mode roots and scrollable objects. If such an object is an
inner multicol container, column content inside shouldn't interact with
enclosing columns.

BUG=696726,695535, 675070 

Review-Url: https://codereview.chromium.org/2729903003
Cr-Commit-Position: refs/heads/master@{#454765}

[add] https://crrev.com/52c98e8a1b2a5100406e2bdd5d4dc2f444e061c5/third_party/WebKit/LayoutTests/fast/multicol/nested-and-unbreakable-crash.html
[add] https://crrev.com/52c98e8a1b2a5100406e2bdd5d4dc2f444e061c5/third_party/WebKit/LayoutTests/fast/multicol/nested-writing-mode-root-crash.html
[modify] https://crrev.com/52c98e8a1b2a5100406e2bdd5d4dc2f444e061c5/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.cpp
[modify] https://crrev.com/52c98e8a1b2a5100406e2bdd5d4dc2f444e061c5/third_party/WebKit/Source/core/layout/LayoutMultiColumnFlowThread.h

ClusterFuzz has detected this issue as fixed in range 454754:454766.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4548729576357888

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !m_columnSetsInvalidated in LayoutMultiColumnFlowThread.cpp
  blink::LayoutMultiColumnFlowThread::columnSetAtBlockOffset
  blink::LayoutMultiColumnFlowThread::appendNewFragmentainerGroupIfNeeded
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=431842:431847
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=454754:454766

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96XujQhyf_xmmDMldCQfZOe20IJSXbm7WmpTDtLVGoT5p-PUsQvRASVC7LioycTeOK5yzJC-tgJ8znpsP8XChYdOrNmYfBMv7oacZPMg4n3yEe1UV4Z-sQVdcTDyk1wXR2WBwcggaQrOETC0HtKFSRmPJqRKg?testcase_id=4548729576357888


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.