From above Change log suspecting the below.
Review-Url: https://codereview.chromium.org/2727843003
tkent@: Could you please take a look into this, if its related to your change.

Its impacting Impacting Stable (56.0.2924.87) & Beta (57.0.2987.88).

My CL isn't a culprit.
Maybe paint area?

Note for reproducing. You need the GN flags in the clusterfuzz report (probably) and this command line "out/DebugGN/content_shell --run-layout-test --disable-web-security <test file>"

I've tracked the problem to LayoutTextTrackContainer::layout(), which calls setInlineStyleProperty which causes a chain of childNeedsStyleRecalc calls during layout, which of course results in a lifecycle violation because the style is not recalculated before we do paint work.

The underlying issue is the the desired font size for the text track depends on the size of the container, which is known during layout and not style. Maybe a workaround is to directly set the style without going through setInlineStyleProperty?

So this is, probably, a layout bug for whomever owns LayoutTextTrackContainer. Or a style bug for those who know what might be done to modify the font size without invalidating the style.

Taking one last look at this, the code is busted. We never set m_fontSize after creation of the layout object, so we could set the property at creation and be done with it. Or we should actually modify m_fontSize based on the size.

And  https://crbug.com/661771  is the same issue with different reproduction.

Thanks for the detailed analysis schenney!

ClusterFuzz has detected this issue as fixed in range 456626:457736.

Detailed report: https://clusterfuzz.com/testcase?key=6109953757806592

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_asan_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  lifecycle().stateAllowsTreeMutations() in Document.cpp
  blink::Document::updateStyleAndLayoutTree
  blink::Document::scrollingElement
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=454203:454233
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_content_shell_drt&range=456626:457736

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv96GQw9SkQevjitoobNi8iH4GWTJtC6diDlidg-lxtjQnpcPYguiCgIhEd6pUZenQn8LzViVyCIv5jn7VcvlpGPuFdS8_iOP4AUUzZa5efrw0zJ2BrvpeP1xd5JMVrjeZJKhR5bLcTxR_m-FLUfGYpcTP1cVyVljYryezmBk67JidoTheizP2E3sU0MFd79tpV7e_uTHVZGO2J4X5oPM0H8UFtuqR8c_HYGDhqh_EHv6MKK3wEs5WIHm0cWtp5AMcGuUvWr6SbWVa0Kol8o4GjbMfzgJCqRcR0zKg2aAI5OPkT0LlT9OXExvMj47eMnX1akzv5OyiOH6UA_uYkrwv2cVZDqfQ5LFNA3_9CCmDIGzT3zm9kBRmawuA7iWy-FXYjihXgRIcuKaiM_gY3q3YuY-lwOdwA?testcase_id=6109953757806592


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.