FYI I already did a bisect. See issue 712660. The proximate cause was
a CL I committed, but the root issue is double-painting of floats.

Ah, right.

In that case this really shouldn't be a release blocker, that is purely for regressions. It is a P1 however and I'll find someone to work on it.

Any chance you could help with this Gleb? It's a float double paint issue where the table cell and container both think they're the owner of the float in question.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bd5ed3446133bfe50bc9e0194c1fe8d271e8fcf0

commit bd5ed3446133bfe50bc9e0194c1fe8d271e8fcf0
Author: glebl <glebl@chromium.org>
Date: Fri May 12 16:49:37 2017

Use floating_object's parent object to check for overhanging floats.

This fixes the "Double-painting of floats" issue caught on this page
http://www.alz.org/what-is-dementia.asp?gclid=Cj0KEQjw0IvIBRDF0Yzq4qGE4IwBEiQATMQlMcdGdUB3bX7An9ifdWLx8RUy7o6FlVy5rx_NB7i_CwAaAiQh8P8HAQ

1) On that page a floating iframe overhangs over several parents and gets
copied by AddOverhangingFloats to the block with self-painting layer.
Once the float reaches the block with self-painting layer boundary
its ShouldPaint flag gets flipped.

2) Because the float is wrapped inside of anonymous block
during the composition step UpdateAncestorShouldPaintFloatingObject uses
a not-direct parent of the float. As a result IsOverhangingFloat returns
a wrong result and flips ShouldPaint flag for the FloatingObject associated
with the float's layout object which is already marked for
paint by another FloatingObject created in step 1.

BUG= 717755 

Review-Url: https://codereview.chromium.org/2875163002
Cr-Commit-Position: refs/heads/master@{#471337}

[modify] https://crrev.com/bd5ed3446133bfe50bc9e0194c1fe8d271e8fcf0/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp