Causing any one of below CL's.
https://chromium.googlesource.com/chromium/src/+/5c2f73741d5087c50451a67089e26b071982acd1
https://chromium.googlesource.com/chromium/src/+/d19d51259c048132deb253a9d7441b40eceb55e9
mstensho@, could you please take a look?
Thank you.

This is caused by bug 606350. Flex items are moved in the block direction after having been paginated.

Looks like all we can do for now is remove the assertion.

Attaching a test that both asserts (if assertions are enabled in your build) and also fails visually.

Deleted: tc.html 573 bytes

tc.html 573 bytes View Download

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/0ab573d311cd7a4a72b86ee8d47a7b70b358432b

commit 0ab573d311cd7a4a72b86ee8d47a7b70b358432b
Author: mstensho <mstensho@opera.com>
Date: Thu Apr 06 13:17:20 2017

Remove DCHECK in column balancer that failed because of flexbox bugs.

This DCHECK was useful (detects broken layout, but nothing more dangerous than
that). However, as long as we don't paginate flex items at their final block
position (see bug 606350), we cannot assert like this, because it's going to
fail under certain circumstances.

BUG= 685047 

Review-Url: https://codereview.chromium.org/2797313003
Cr-Commit-Position: refs/heads/master@{#462447}

[add] https://crrev.com/0ab573d311cd7a4a72b86ee8d47a7b70b358432b/third_party/WebKit/LayoutTests/fast/multicol/nested-with-wrapped-flexbox-crash.html
[modify] https://crrev.com/0ab573d311cd7a4a72b86ee8d47a7b70b358432b/third_party/WebKit/Source/core/layout/ColumnBalancer.cpp

The test attached previously still doesn't pass visually, of course (but the assertion failure is gone). In order to make it render correctly, we need to fix bug 606350.

ClusterFuzz has detected this issue as fixed in range 462366:462558.

Detailed report: https://clusterfuzz.com/testcase?key=4648600882905088

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isFirstAfterBreak(lineTopInFlowThread) || !line.paginationStrut() || !isLogicalT
  blink::InitialColumnHeightFinder::examineLine
  blink::ColumnBalancer::traverseLines
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=361738:361835
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=462366:462558

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96j4F627Ld0oap2V6EUrGHO6IO0wgR8fwIHQIbjvqiEadqryEaxNMrRnMoLxnS3w72CJLIQOW3z-zEb9cAaSf8kjHMUjX79Y0B2SDGTo4el5PJA-Rmh0EoIRyqmbec9sKI4gKuplPevpZhYLUXHJOhYe1i_CKYuvJm_HbTIxDSqhI7zZXVohJTRasiYvEcR864an8GTOH9ZhmAMUkwKNhe9vdLWy6sBWEnfMnwlYU7qpGMi0_kHFghGbfyCbxwgO5uA04_BHfH1JyYE2Lx3yPzxXs1cPWkX4DNkFIDPNpYAQzKcu4RviVoIjM7-gAAnojXSNotlP_O0UWRidBynYmDMO7409ReBCIIftfiRfWZH_f5U9xNo0eYm-tF40xUzrPhMhUKtSIlXNadPOaOmu5yjubmLuA?testcase_id=4648600882905088


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.