Through code search on file PaintInvalidator.cpp, suspected CL is
https://chromium.googlesource.com/chromium/src/+/67f96fcba8901815194004f7c5778550bf51e3e1
wangxianzhu@, could you please take a look?.
Thank you

The clusterfuzz regression range is wrong.

This regressed since https://codereview.chromium.org/2615203002 (before m57 branch point).

The case is like:
  <div class="multicol">
    <div class="composited">
      <div class="colspan"></div>
    </div>
  </div>

Want me to take this one?

A simple fix here: https://codereview.chromium.org/2736373003/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d0a53bebc4896e68c81ba549a2c01674a3d6621f

commit d0a53bebc4896e68c81ba549a2c01674a3d6621f
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Thu Mar 09 20:01:33 2017

Fix wrong paint invalidation container for column spanners

If a column spanner is under a composited column content, it doesn't
paint onto this composited column content because it belongs to the
column container in paint order.

This regressed since https://codereview.chromium.org/2615203002.

BUG= 698216 
TEST=paint/invalidation/compositing/column-span-under-composited-column-child.html
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2736373003
Cr-Commit-Position: refs/heads/master@{#455841}

[add] https://crrev.com/d0a53bebc4896e68c81ba549a2c01674a3d6621f/third_party/WebKit/LayoutTests/paint/invalidation/compositing/column-span-under-composited-column-child-expected.html
[add] https://crrev.com/d0a53bebc4896e68c81ba549a2c01674a3d6621f/third_party/WebKit/LayoutTests/paint/invalidation/compositing/column-span-under-composited-column-child-expected.txt
[add] https://crrev.com/d0a53bebc4896e68c81ba549a2c01674a3d6621f/third_party/WebKit/LayoutTests/paint/invalidation/compositing/column-span-under-composited-column-child.html
[modify] https://crrev.com/d0a53bebc4896e68c81ba549a2c01674a3d6621f/third_party/WebKit/Source/core/layout/PaintInvalidationState.cpp
[modify] https://crrev.com/d0a53bebc4896e68c81ba549a2c01674a3d6621f/third_party/WebKit/Source/core/paint/PaintInvalidator.cpp

M57 stable for desktop is already out. We can pick up this change for future refresh.

Removing RB-Stable given c#9, if this isn't urgent enough to block the first push it won't block a second one either.  We haven't cut our first Android release for M57 yet, so if you're super confident in the fix and think it would fix a meaningful crash in M57 please request a merge tomorrow (after verifying nothing breaks in canary) and ping me.

The change is safe. It's not urgent though as the bug case should be quite rare.

Your change meets the bar and is auto-approved for M58. Please go ahead and merge the CL to branch 3029 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), bhthompson@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug requires manual review: Less than 0 days to go before AppStore submit on M57
Please contact the milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/52520d1f00753da9adafc914b4856ed9052e3678

commit 52520d1f00753da9adafc914b4856ed9052e3678
Author: wangxianzhu <wangxianzhu@chromium.org>
Date: Fri Mar 10 17:47:33 2017

Fix wrong paint invalidation container for column spanners

If a column spanner is under a composited column content, it doesn't
paint onto this composited column content because it belongs to the
column container in paint order.

This regressed since https://codereview.chromium.org/2615203002.

BUG= 698216 
TBR=wangxianzhu@chromium.org
NOTRY=true
NOPRESUBMIT=true
TEST=paint/invalidation/compositing/column-span-under-composited-column-child.html
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2736373003
Cr-Original-Commit-Position: refs/heads/master@{#455841}
Review-Url: https://codereview.chromium.org/2740103004
Cr-Commit-Position: refs/branch-heads/3029@{#113}
Cr-Branched-From: 939b32ee5ba05c396eef3fd992822fcca9a2e262-refs/heads/master@{#454471}

[add] https://crrev.com/52520d1f00753da9adafc914b4856ed9052e3678/third_party/WebKit/LayoutTests/paint/invalidation/compositing/column-span-under-composited-column-child-expected.html
[add] https://crrev.com/52520d1f00753da9adafc914b4856ed9052e3678/third_party/WebKit/LayoutTests/paint/invalidation/compositing/column-span-under-composited-column-child-expected.txt
[add] https://crrev.com/52520d1f00753da9adafc914b4856ed9052e3678/third_party/WebKit/LayoutTests/paint/invalidation/compositing/column-span-under-composited-column-child.html
[modify] https://crrev.com/52520d1f00753da9adafc914b4856ed9052e3678/third_party/WebKit/Source/core/layout/PaintInvalidationState.cpp
[modify] https://crrev.com/52520d1f00753da9adafc914b4856ed9052e3678/third_party/WebKit/Source/core/paint/PaintInvalidator.cpp

ClusterFuzz has detected this issue as fixed in range 455700:456019.

Detailed report: https://clusterfuzz.com/testcase?key=6029950160470016

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  context.paintInvalidationContainer == object.containerForPaintInvalidation() in 
  blink::PaintInvalidator::updatePaintInvalidationContainer
  blink::PaintInvalidator::invalidatePaintIfNeeded
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=445725:445853
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=455700:456019

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94jGSXWl1PqREm3UeEVy2I3JqnjXFKemllywdoUkPm_ziqKbC-WhOiHoqCRhrmANdeooGWmeu8xPpkh0CDYO675aOBao-fJfDowYDiXPoNZIeLxp7mikHbdFEZb8XUbMtEfwgeXDLfg2Gtk5uNzwV4Gs7O9kd-TJUzSL9NSrUCBrQYQPBaa2biD-SdcG00PDWw_IcaBorlcSyC3Ztwt007GqBm3eAH4GeRAGFrHsPbgr6MoDQAniXrQsoNMrEUVxudEiR5R9Qz3VFTFBxf0dwrY5zI5HSI1VYUBL1ZBa_YY1n2jtkBij8ffNgG4gWXiNub_kjmz1PgUFWuJJJPGPNwpVLZZcB3S9nsQ8f06bNDoevBy3hI?testcase_id=6029950160470016


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6029950160470016 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Rejecting merge to M57 based on comment #9, #10 and #11. Please let me know if there is any concern here. Thank you.