This layout test is now flaky (crashes sometimes):
fast/block/crash-when-element-becomes-positioned-and-doesnt-clear-floating-objects.html

Not 100% reproducible, though.

#0  0x00007fffe53c6f46 in blink::ShapeResult::ShapeResult (this=0x37c2431216c0, other=...) at ../../third_party/blink/renderer/platform/fonts/shaping/shape_result.cc:195
#1  0x00007fffe53cd341 in blink::ShapeResult::CopyAdjustedOffset (this=0xcdcdcdcdcdcdcdcd, start_index=0) at ../../third_party/blink/renderer/platform/fonts/shaping/shape_result.cc:964
#2  0x00007fffe859a143 in blink::NGInlineItemsBuilderTemplate<blink::EmptyOffsetMappingBuilder>::Append (this=0x7fffac7154a8, original_string=" crbug.com/445285 : Do not crash when an element becomes positioned. ", layout_object=0x2b9f0a4281d0, items=WTF::Vector of length 1, capacity 4 = {...}) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_inline_items_builder.cc:230
#3  0x00007fffe85b10a8 in blink::(anonymous namespace)::CollectInlinesInternal<blink::EmptyOffsetMappingBuilder> (block=0x2b9f0a418158, builder=0x7fffac7154a8, previous_text=0x3805713c9640) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_inline_node.cc:91
#4  0x00007fffe85afcae in blink::NGInlineNode::CollectInlines (this=0x7fffac717608, data=0x3805713be090, previous_data=0x3805713c9640) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_inline_node.cc:299
#5  0x00007fffe85af5bf in blink::NGInlineNode::PrepareLayoutIfNeeded (this=0x7fffac717608) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_inline_node.cc:232
#6  0x00007fffe85b0969 in blink::NGInlineNode::EnsureData (this=0x7fffac717608) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_inline_node.cc:251
#7  0x00007fffe85a9a45 in blink::NGInlineNode::IsEmptyInline (this=0x7fffac717608) at ../../third_party/blink/renderer/core/layout/ng/inline/ng_inline_node.h:77
#8  0x00007fffe85e6387 in blink::NGBlockLayoutAlgorithm::HandleInflow (this=0x7fffac718f38, child=..., child_break_token=0x0, previous_inflow_position=0x7fffac717958, previous_inline_break_token=0x7fffac7178f0) at ../../third_party/blink/renderer/core/layout/ng/ng_block_layout_algorithm.cc:865
#9  0x00007fffe85e2f87 in blink::NGBlockLayoutAlgorithm::Layout (this=0x7fffac718f38) at ../../third_party/blink/renderer/core/layout/ng/ng_block_layout_algorithm.cc:394
#10 0x00007fffe85f00c6 in blink::(anonymous namespace)::LayoutWithAlgorithm (style=..., node=..., box=0x2b9f0a418158, space=..., break_token=0x0) at ../../third_party/blink/renderer/core/layout/ng/ng_block_node.cc:66
#11 0x00007fffe85eef6e in blink::NGBlockNode::Layout (this=0x7fffac71b058, constraint_space=..., break_token=0x0) at ../../third_party/blink/renderer/core/layout/ng/ng_block_node.cc:187
#12 0x00007fffe860aedb in blink::NGLayoutInputNode::Layout (this=0x7fffac71b058, space=..., break_token=0x0) at ../../third_party/blink/renderer/core/layout/ng/ng_layout_input_node.cc:131
#13 0x00007fffe85e6547 in blink::NGBlockLayoutAlgorithm::HandleInflow (this=0x7fffac71c988, child=..., child_break_token=0x0, previous_inflow_position=0x7fffac71b3a8, previous_inline_break_token=0x7fffac71b340) at ../../third_party/blink/renderer/core/layout/ng/ng_block_layout_algorithm.cc:891
#14 0x00007fffe85e2f87 in blink::NGBlockLayoutAlgorithm::Layout (this=0x7fffac71c988) at ../../third_party/blink/renderer/core/layout/ng/ng_block_layout_algorithm.cc:394
(More stack frames follow...)

Probably introduced by https://chromium-review.googlesource.com/986982