Predator and CL could not provide any possible suspects.

Using Code Search for the file, "layout_box.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/3fe4904a00ba85fe97d3b64dee683803e8d8049b

masonfreed@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

I verified that this reproduces, but is definitely not related to my CL (3fe4904a00ba85fe97d3b64dee683803e8d8049b). I hate that CL - it touched all files and now ClusterFuzz hates me for it.

I am re-running the regression range now, but my best guess is this CL:

https://chromium-review.googlesource.com/c/chromium/src/+/882187

I am going to change the owner to vmpstr@ (from the CL above). If the regression turns something up, I'll add it here as a comment. vmpstr@, if you disagree, feel free to send this back to me.

It seems that there is an anonymous block that is rel positioned but it's continuation is not rel positioned. This causes this DCHECK.

Here's a simpler repro:
<!doctype HTML>
<style>
.rel {
  position: relative;
}
.abs {
  position: absolute;
}
</style>

<span class="rel"><span id="parent"><div><div class="abs"></div></div></span></span>

Running this with the DCHECK commented out produces the following tree:
*LayoutView 0x4326004010               	#document
  LayoutBlockFlow 0x4326024010         	HTML
    LayoutBlockFlow 0x4326024140       	BODY
      LayoutBlockFlow (anonymous) 0x43260244d0
        LayoutInline (relative positioned) 0x4326034010 continuation=0x4326034190	SPAN class="rel"
          LayoutInline 0x43260340d0 continuation=0x43260243a0	SPAN id="parent"
      LayoutBlockFlow (anonymous) (relative positioned) 0x43260243a0 continuation=0x4326034250
        LayoutBlockFlow 0x4326024270   	DIV
          LayoutBlockFlow (positioned) 0x4326024730	DIV class="abs"
      LayoutBlockFlow (anonymous) 0x4326024600
        LayoutInline (relative positioned) 0x4326034190	SPAN class="rel"
          LayoutInline 0x4326034250    	SPAN id="parent"
        LayoutText 0x4326040010        	#text "\n"

Note that the first positioned ancestor of the "abs" div is the anonymous block with a continuation (that's the container). The continuation however is not positioned (the parent of the continuation is positioned).

mstensho@, do you mind triaging this? 

I have a patch that papers over this to only check the container relationship if we don't go to the continuation. However, if a continuation of a rel-positioned anonymous block should be rel-positioned, then this simply hides the issue.

Thanks for the detailed analysis! I can reproduce this, and will take a look.

The code that jumps from the containing block to the next continuation was introduced here:
https://codereview.chromium.org/1406953003
(rhogan, 2015)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/78ed3d537cbf04c575d255de764e489a559caaec

commit 78ed3d537cbf04c575d255de764e489a559caaec
Author: Morten Stenshorne <mstensho@chromium.org>
Date: Mon Oct 29 12:14:38 2018

Use the correct out-of-flow containing block in continuations.

We cannot just use the innermost inline, without checking if it's a
valid containing block for absolutely positioned descendants. Find the
right ancestor.

The idea of using the *next* inline in the continuation chain may not be
ideal, but it's not obvious that using the previous one would be much
better (it's more work to find that one anyway), so leaving it as it is.
The spec says that if the relatively positioned inline occurs on
multiple lines, CSS 2 doesn't define exact behavior. Therefore, in the
test, put the same amount of stuff on the line preceding the
interrupting block-level element as on the line following it, to be sure
that the abspos descendant is sized the way we want it to be.

Bug:  897535 
Change-Id: Ie9bc4e83400bc283b9c95aafef821000f2303d12
Reviewed-on: https://chromium-review.googlesource.com/c/1301457
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Reviewed-by: Emil A Eklund <eae@chromium.org>
Reviewed-by: vmpstr <vmpstr@chromium.org>
Reviewed-by: Mason Freed <masonfreed@chromium.org>
Cr-Commit-Position: refs/heads/master@{#603466}
[modify] https://crrev.com/78ed3d537cbf04c575d255de764e489a559caaec/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG
[modify] https://crrev.com/78ed3d537cbf04c575d255de764e489a559caaec/third_party/WebKit/LayoutTests/TestExpectations
[add] https://crrev.com/78ed3d537cbf04c575d255de764e489a559caaec/third_party/WebKit/LayoutTests/external/wpt/css/CSS2/abspos/abspos-in-block-in-inline-in-relpos-inline.html
[modify] https://crrev.com/78ed3d537cbf04c575d255de764e489a559caaec/third_party/blink/renderer/core/layout/layout_box.cc

ClusterFuzz has detected this issue as fixed in range 603464:603466.

Detailed report: https://clusterfuzz.com/testcase?key=5560726117416960

Fuzzer: marty_html_twiddler
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  containing_block->CanContainOutOfFlowPositionedElement( StyleRef().GetPosition()
  blink::LayoutBox::ContainingBlockLogicalWidthForPositioned
  blink::LayoutBox::ComputePositionedLogicalWidth
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=603464:603466

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5560726117416960

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5560726117416960 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.