Predator and CL did not provide any possible suspects.
Using Code Search for the file, "ColumnBalancer.cpp" assigning to the concern owner.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/0ab573d311cd7a4a72b86ee8d47a7b70b358432b

@mstensho -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

Yeah, I suspected that one too. Although that CL just removes a DCHECK, I was kind of assuming that this new bug here was just hiding behind the other now-removed DCHECK. However, reverting it doesn't make any difference. Still DCHECK-fails at the same place. Anyway, this one is mine. :)

This looks like a very old bug, and something I failed to fix while working on  bug 534751 . When fragmenting, we need to position everything before laying it out.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/97b20197a53d323f7b2d92581d97817ea85ea0a4

commit 97b20197a53d323f7b2d92581d97817ea85ea0a4
Author: mstensho <mstensho@opera.com>
Date: Fri May 05 17:09:08 2017

The first table row is pushed down by border-spacing.

We need to make sure this happens *before* laying it out when inside a
fragmentation context.

Added tests fast/multicol/balance-table-with-border-spacing.html and
fragmentation/table-with-border-spacing.html for this.

This change also fixes breaking inside border-spacing adjacent to table
rows with break-inside:avoid set. There should be no reason to prevent
breaking inside border spacing, just because it's adjacent to such table
rows, but it looks like this was the behavior we got, by accident.
Updated printing/avoid-setting-header-offset-on-header.html accordingly
and threw in an additional test
fragmentation/border-spacing-break-before-unbreakable-row.html for this
collateral fix. It's hopefully correct, since we now match Edge's behavior.

BUG= 709387 , 534751 

Review-Url: https://codereview.chromium.org/2803383002
Cr-Commit-Position: refs/heads/master@{#469690}

[add] https://crrev.com/97b20197a53d323f7b2d92581d97817ea85ea0a4/third_party/WebKit/LayoutTests/fast/multicol/balance-table-with-border-spacing.html
[add] https://crrev.com/97b20197a53d323f7b2d92581d97817ea85ea0a4/third_party/WebKit/LayoutTests/fragmentation/border-spacing-break-before-unbreakable-row.html
[add] https://crrev.com/97b20197a53d323f7b2d92581d97817ea85ea0a4/third_party/WebKit/LayoutTests/fragmentation/table-with-border-spacing.html
[modify] https://crrev.com/97b20197a53d323f7b2d92581d97817ea85ea0a4/third_party/WebKit/LayoutTests/printing/avoid-setting-header-offset-on-header-expected.html
[modify] https://crrev.com/97b20197a53d323f7b2d92581d97817ea85ea0a4/third_party/WebKit/LayoutTests/printing/avoid-setting-header-offset-on-header.html
[modify] https://crrev.com/97b20197a53d323f7b2d92581d97817ea85ea0a4/third_party/WebKit/Source/core/layout/LayoutTableSection.cpp
[modify] https://crrev.com/97b20197a53d323f7b2d92581d97817ea85ea0a4/third_party/WebKit/Source/core/layout/LayoutTableSection.h

ClusterFuzz has detected this issue as fixed in range 469683:469704.

Detailed report: https://clusterfuzz.com/testcase?key=6183192664211456

Fuzzer: mbarbella_js_mutation_layout
Job Type: linux_debug_content_shell_drt
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isFirstAfterBreak(lineTopInFlowThread) || !line.paginationStrut() || !isLogicalT
  blink::MinimumSpaceShortageFinder::examineLine
  blink::ColumnBalancer::traverseLines
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=443258:443393
Fixed: https://clusterfuzz.com/revisions?job=linux_debug_content_shell_drt&range=469683:469704

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6183192664211456


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.