Predator and CL could not provide any possible suspects.
Using Code Search for the file, "PaintController.cpp" assigning to the concern owner who might be related or worked on similar file.

wangxianzhu@ -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f40b8c36575c14e0d3d04a3b83879b4c407821af

commit f40b8c36575c14e0d3d04a3b83879b4c407821af
Author: Xianzhu Wang <wangxianzhu@chromium.org>
Date: Thu Sep 28 00:46:06 2017

Fully invalidate paint of LayoutMultiColumnSet when actual column count changes

This ensures repaint of the column rules which will be painted
differently for different actual column count.

Bug:  764213 
Change-Id: Ia4c2d2ec847ba851f05e02cf2f9ac7a44d397dea
Reviewed-on: https://chromium-review.googlesource.com/688480
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504831}
[add] https://crrev.com/f40b8c36575c14e0d3d04a3b83879b4c407821af/third_party/WebKit/LayoutTests/paint/invalidation/multicol-rule-actual-columns-change-expected.html
[add] https://crrev.com/f40b8c36575c14e0d3d04a3b83879b4c407821af/third_party/WebKit/LayoutTests/paint/invalidation/multicol-rule-actual-columns-change.html
[modify] https://crrev.com/f40b8c36575c14e0d3d04a3b83879b4c407821af/third_party/WebKit/LayoutTests/platform/mac/paint/invalidation/multicol-with-text-expected.txt
[modify] https://crrev.com/f40b8c36575c14e0d3d04a3b83879b4c407821af/third_party/WebKit/LayoutTests/platform/win/paint/invalidation/multicol-with-text-expected.txt
[modify] https://crrev.com/f40b8c36575c14e0d3d04a3b83879b4c407821af/third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.cpp
[modify] https://crrev.com/f40b8c36575c14e0d3d04a3b83879b4c407821af/third_party/WebKit/Source/core/layout/LayoutMultiColumnSet.h

ClusterFuzz has detected this issue as fixed in range 504805:504871.

Detailed report: https://clusterfuzz.com/testcase?key=5078289948606464

Fuzzer: ochang_domfuzzer
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  false. Can't find cached display item in PaintController.cpp
  blink::PaintController::FindOutOfOrderCachedItemForward
  blink::PaintController::UseCachedDrawingIfPossible
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=433514:433527
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=504805:504871

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5078289948606464

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5078289948606464 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.