Based on the code search on 'DocumentThreadableLoader.cpp' seeing most recent changes by hiroshige@.

Could you please take a look at this or help in finding an appropriate owner for this. 

Locally reproduced on r387601 on Linux.

Bisected on Linux.

Regressing CL: https://codereview.chromium.org/1264453002
r375537, affecting M-50 (stable) and later.

Cause:
setResource() can call notifyFinished() and thus DocumentThreadableLoader::clear() synchronously.

Draft CL:
https://codereview.chromium.org/1902683002/

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2571533bbb5b554ff47205c8ef1513ccc0817c3e

commit 2571533bbb5b554ff47205c8ef1513ccc0817c3e
Author: hiroshige <hiroshige@chromium.org>
Date: Mon May 02 18:30:41 2016

DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource()

In loadRequest(), setResource() can call clear() synchronously:
  DocumentThreadableLoader::clear()
  DocumentThreadableLoader::handleError()
  Resource::didAddClient()
  RawResource::didAddClient()
and thus |m_client| can be null while resource() isn't null after setResource(),
causing crashes ( Issue 595964 ).

This CL checks whether |*this| is destructed and
whether |m_client| is null after setResource().

BUG= 595964 

Review-Url: https://codereview.chromium.org/1902683002
Cr-Commit-Position: refs/heads/master@{#391001}

[modify] https://crrev.com/2571533bbb5b554ff47205c8ef1513ccc0817c3e/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

ClusterFuzz has detected this issue as fixed in range 390990:391023.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6042024888762368

Fuzzer: ochang_domfuzzer
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  blink::DocumentThreadableLoader::loadRequest
  blink::DocumentThreadableLoader::dispatchInitialRequest
  blink::DocumentThreadableLoader::start
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=172836:173286
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_chrome_mp&range=390990:391023

Minimized Testcase (1.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95xwtkW0XqRvOAKRWDOk0146BB-R7sfi9PIOFsP6cHSbyt5PvcOGF88OkNxgn46OddELPNyk_b9wNzOEmEt-3By59Z6KswzuG3Ue2cxQjz5AAt3KzpMatR3L32uO3cdvfxsyv7ZUS-oPvPBDafb7-y_ulOyNQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Requesting merge to M-51:
- Landed since 52.0.2723.0, verified by clusterfuzz (Comment #5).
- Crashing bug (null pointer dereference).

Your change meets the bar and is auto-approved for M51 (branch: 2704)

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4bb31bcd811ff8a7a625f9505cc340d6d4b29bbe

commit 4bb31bcd811ff8a7a625f9505cc340d6d4b29bbe
Author: Hiroshige Hayashizaki <hiroshige@chromium.org>
Date: Fri May 06 05:37:44 2016

DocumentThreadableLoader: Add guards for sync notifyFinished() in setResource()

In loadRequest(), setResource() can call clear() synchronously:
  DocumentThreadableLoader::clear()
  DocumentThreadableLoader::handleError()
  Resource::didAddClient()
  RawResource::didAddClient()
and thus |m_client| can be null while resource() isn't null after setResource(),
causing crashes ( Issue 595964 ).

This CL checks whether |*this| is destructed and
whether |m_client| is null after setResource().

BUG= 595964 

Review-Url: https://codereview.chromium.org/1902683002
Cr-Commit-Position: refs/heads/master@{#391001}
(cherry picked from commit 2571533bbb5b554ff47205c8ef1513ccc0817c3e)

Review URL: https://codereview.chromium.org/1954833003 .

Cr-Commit-Position: refs/branch-heads/2704@{#410}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[modify] https://crrev.com/4bb31bcd811ff8a7a625f9505cc340d6d4b29bbe/third_party/WebKit/Source/core/loader/DocumentThreadableLoader.cpp

Although M-50 tag is added, I don't think we have to merge this to stable:
- This is always null pointer dereference and always crashing immediately.
- The number of crash reports are quite small: there are <40 crash reports with the query on all M-50 versions:
    custom_data.ChromeCrashProto.magic_signature_1.name='blink::DocumentThreadableLoader::loadRequest'
  and most of them are not related to this issue.

Closed as fixed.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot