Predator and CL could not provide any possible suspects.

Using Code Search for the file, "column_balancer.cc" suspecting the below Cl might have caused this issue

Suspect CL: https://chromium.googlesource.com/chromium/src/+/6b18d3dad1226e99cee0e92670f82a3c6b7ef11b

mstensho@ -- Could you please check whether this is caused with respect to your change, if not please help us in assigning it to the right owner.

Thanks!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7aa1330a9c76a5a8f3f9b8a9f16c837e187bc9d0

commit 7aa1330a9c76a5a8f3f9b8a9f16c837e187bc9d0
Author: Morten Stenshorne <mstensho@chromium.org>
Date: Thu Nov 15 17:16:42 2018

Floats in a next fragmentainer may push lines down.

We cannot assume that when we push a line to the next fragmentainer
(because it doesn't fit in the current one), the line is going to fit
there. If the next fragmentainer has a float that nothing fits beside
and the float is too tall to fit the line below it, we need to jump to
yet another fragmentainer in order to find room for the line.

Bug:  902762 
Change-Id: Ied14694ed1ad4fc25d28527edd1ca7389f00664c
Reviewed-on: https://chromium-review.googlesource.com/c/1335580
Commit-Queue: Morten Stenshorne <mstensho@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Cr-Commit-Position: refs/heads/master@{#608414}
[add] https://crrev.com/7aa1330a9c76a5a8f3f9b8a9f16c837e187bc9d0/third_party/WebKit/LayoutTests/external/wpt/css/css-break/line-after-unbreakable-float-after-padding-ref.html
[add] https://crrev.com/7aa1330a9c76a5a8f3f9b8a9f16c837e187bc9d0/third_party/WebKit/LayoutTests/external/wpt/css/css-break/line-after-unbreakable-float-after-padding.html
[modify] https://crrev.com/7aa1330a9c76a5a8f3f9b8a9f16c837e187bc9d0/third_party/blink/renderer/core/layout/layout_block_flow_line.cc

ClusterFuzz has detected this issue as fixed in range 608400:608414.

Detailed report: https://clusterfuzz.com/testcase?key=6735268125868032

Fuzzer: marty_html_twiddler
Job Type: linux_debug_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IsFirstAfterBreak(line_top_in_flow_thread) || !line.PaginationStrut() || !IsLogi
  blink::MinimumSpaceShortageFinder::ExamineLine
  blink::ColumnBalancer::TraverseLines
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=linux_debug_chrome&range=608400:608414

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6735268125868032

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6735268125868032 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.