Predator and CL did not find any possible suspects.
Using Code Search for the file, "RootInlineBox.h" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/2ac0bb3d271e109b6f71929eecc1e44442f9576b

@kojii -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Not that one...

I can't see the regression range, but isn't there anything related with floats or other line layout?

If none, this might be an old one, just started to trigger coincidentally. I can take a look, but not this week since I'm away from my main machine.

mstensho@, any ideas? The call to placeNewFloats () in LineBreaker::skipLeadingWhitespace() seems to be changed in crrev.com/1899193007

Don't know what introduced this, or if it's something old (nothing in the suggested regression range seems relevant), but LineBoxList::dirtyLinesFromChangedChild() appears to go on a joyride  backwards in the layout tree if the child in question is a float. It ends up escaping the block formatting context it ought to be confined to, and will mark some earlier, completely irrelevant line box, as dirty. In our case it's the line box that we're about to finish laying out, and it asserts when it finds itself dirty when attempting to add a float.

This bug causes visible layout problems, in addition to the assertion failure.

Introduced by https://codereview.chromium.org/2411773003

Fix attempt here: https://codereview.chromium.org/2686913002

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bca58229049615bbe64a1ece05592ddce3561deb

commit bca58229049615bbe64a1ece05592ddce3561deb
Author: mstensho <mstensho@opera.com>
Date: Thu Feb 09 08:37:15 2017

Stay within the containing block when looking for a line to dirty.

BUG= 686469 

Review-Url: https://codereview.chromium.org/2686913002
Cr-Commit-Position: refs/heads/master@{#449237}

[add] https://crrev.com/bca58229049615bbe64a1ece05592ddce3561deb/third_party/WebKit/LayoutTests/fast/block/float/relayout-nested-float-after-line.html
[modify] https://crrev.com/bca58229049615bbe64a1ece05592ddce3561deb/third_party/WebKit/Source/core/layout/line/LineBoxList.cpp

ClusterFuzz has detected this issue as fixed in range 449231:449250.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4599355324760064

Fuzzer: inferno_twister
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !isDirty() in RootInlineBox.h
  blink::RootInlineBox::appendFloat
  blink::LayoutBlockFlow::appendFloatingObjectToLastLine
  
Sanitizer: address (ASAN)

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_debug_content_shell_drt&range=449231:449250

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95t6t_ABjWrGdPzjfOtcNWgZ80PVwJ0_JgjZc_qfc_AH85ZQqS3NmfcXIsJqRhSSu6CmhKGNWHmVvCNZTijhKVtWs5O2dVB6F8oOu-wbi1CcEDIKJiG7AROQK4L6lXVtvt6hSOlKmhkaF0NdpFBz_r_DUflbbHN1Wee-1yyed13g67OZAs47GcJ4cri5mssy4u2uHRsUAVIm7Pjkied9PcP8srPz-iW_Rkq5pbDwh54f-ut3REBcGL1rFv0CZjRvALLJbjxGywpEPoG_xpxjvjNZdTlL5IcBVi90YE2ahVyg4_YABszVDAukGKvMBOnMe2Rou51VbY07Mg9oS8X1-UIk_H9_stSsVIPUb2hFo3Gzws_5tE?testcase_id=4599355324760064


Additional requirements: Requires HTTP

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.