Never position a float after it has been placed.

third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp

Index: third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp
diff --git a/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp b/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp
index 74ef4383eb6dfda73e250de3aacb7c43ef44d427..c553ea433a340b4d12ecccf30a5dfb57079f7250 100644
--- a/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp
+++ b/third_party/WebKit/Source/core/layout/LayoutBlockFlow.cpp
@@ -3637,6 +3637,11 @@ bool LayoutBlockFlow::placeNewFloats(LayoutUnit logicalTopMarginEdge,
 LayoutUnit LayoutBlockFlow::positionAndLayoutFloat(
     FloatingObject& floatingObject,
     LayoutUnit logicalTopMarginEdge) {
+  // Once a float has been placed, we cannot update its position, or the float
+  // interval tree will be out of sync with reality. This may in turn lead to
+  // objects being used after they have been deleted.
+  CHECK(!floatingObject.isPlaced());
+
   LayoutBox& child = *floatingObject.layoutObject();
 
   // FIXME Investigate if this can be removed. crbug.com/370006