Reproduces on ASAN x64 build with the smaller repro (attached) because this assert fails: https://cs.chromium.org/chromium/src/third_party/WebKit/Source/bindings/core/v8/ScriptWrappable.cpp?rcl=0&l=30

Call stack:

#0  base::debug::(anonymous namespace)::DebugBreak() () at ../../base/debug/debugger_posix.cc:232
#1  0x00007fffeae69e48 in base::debug::BreakDebugger() () at ../../base/debug/debugger_posix.cc:251
#2  0x00007fffeafc2f34 in ~LogMessage () at ../../base/logging.cc:748
#3  0x00007fffcb4b6025 in wrap () at ../../third_party/WebKit/Source/bindings/core/v8/ScriptWrappable.cpp:30
#4  0x00007fffcb2e4135 in toV8 () at ../../third_party/WebKit/Source/bindings/core/v8/ToV8.h:41
#5  0x00007fffcb54d799 in loadExceptionFromErrorEventWrapper ()
    at ../../third_party/WebKit/Source/bindings/core/v8/V8ErrorHandler.cpp:122
#6  0x00007fffcd9e4058 in exceptionThrown () at ../../third_party/WebKit/Source/core/inspector/MainThreadDebugger.cpp:199
#7  0x00007fffcc1c63f4 in blink::Document::exceptionThrown(blink::ErrorEvent*) ()
    at ../../third_party/WebKit/Source/core/dom/Document.cpp:3157
#8  0x00007fffcc37fae0 in blink::ExecutionContext::dispatchErrorEvent(blink::ErrorEvent*, blink::AccessControlStatus) ()
    at ../../third_party/WebKit/Source/core/dom/ExecutionContext.cpp:136
#9  0x00007fffcb58e2ee in fireErrorEvent ()
    at ../../third_party/WebKit/Source/bindings/core/v8/V8LazyEventListener.cpp:249
#10 0x00007fffcb58ca14 in compileScript () at ../../third_party/WebKit/Source/bindings/core/v8/V8LazyEventListener.cpp:202
#11 0x00007fffcb58a402 in getListenerObjectInternal ()
    at ../../third_party/WebKit/Source/bindings/core/v8/V8LazyEventListener.cpp:155
#12 0x00007fffcb41fbde in blink::V8AbstractEventListener::getListenerObject(blink::ExecutionContext*) ()
    at ../../third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.h:91
#13 0x00007fffcb58918f in callListenerFunction ()
    at ../../third_party/WebKit/Source/bindings/core/v8/V8LazyEventListener.cpp:88
#14 0x00007fffcb50366f in invokeEventHandler ()
    at ../../third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:140
#15 0x00007fffcb502b41 in handleEvent ()
    at ../../third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:98
#16 0x00007fffcb50239c in handleEvent ()
    at ../../third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp:86
#17 0x00007fffcca6f018 in fireEventListeners () at ../../third_party/WebKit/Source/core/events/EventTarget.cpp:706
#18 0x00007fffcca6d38a in blink::EventTarget::fireEventListeners(blink::Event*) ()
    at ../../third_party/WebKit/Source/core/events/EventTarget.cpp:570
#19 0x00007fffcc489547 in blink::Node::handleLocalEvents(blink::Event&) ()
    at ../../third_party/WebKit/Source/core/dom/Node.cpp:2070
#20 0x00007fffcca9f5de in blink::NodeEventContext::handleLocalEvents(blink::Event&) const ()
    at ../../third_party/WebKit/Source/core/events/NodeEventContext.cpp:60
#21 0x00007fffcca2acd2 in blink::EventDispatcher::dispatchEventAtTarget() ()
    at ../../third_party/WebKit/Source/core/events/EventDispatcher.cpp:206
#22 0x00007fffcca286db in dispatch () at ../../third_party/WebKit/Source/core/events/EventDispatcher.cpp:155
#23 0x00007fffcca25c0b in blink::EventDispatchMediator::dispatchEvent(blink::EventDispatcher&) const ()
    at ../../third_party/WebKit/Source/core/events/EventDispatchMediator.cpp:51
#24 0x00007fffcca26841 in blink::EventDispatcher::dispatchEvent(blink::Node&, blink::EventDispatchMediator*) ()
    at ../../third_party/WebKit/Source/core/events/EventDispatcher.cpp:59
#25 0x00007fffccabecc5 in blink::ScopedEventQueue::dispatchEvent(blink::EventDispatchMediator*) const ()
    at ../../third_party/WebKit/Source/core/events/ScopedEventQueue.cpp:76
#26 0x00007fffccabea01 in blink::ScopedEventQueue::enqueueEventDispatchMediator(blink::EventDispatchMediator*) ()
    at ../../third_party/WebKit/Source/core/events/ScopedEventQueue.cpp:62
#27 0x00007fffcca27083 in blink::EventDispatcher::dispatchScopedEvent(blink::Node&, blink::EventDispatchMediator*) ()
    at ../../third_party/WebKit/Source/core/events/EventDispatcher.cpp:75
#28 0x00007fffcc4895ec in blink::Node::dispatchScopedEvent(blink::Event*) ()
    at ../../third_party/WebKit/Source/core/dom/Node.cpp:2075
#29 0x00007fffccfb1bf3 in blink::HTMLFrameOwnerElement::dispatchLoad() ()
    at ../../third_party/WebKit/Source/core/html/HTMLFrameOwnerElement.cpp:225
#30 0x00007fffccd50ff1 in dispatchLoadEvent () at ../../third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp:1407
#31 0x00007fffccd509f8 in dispatchWindowLoadEvent () at ../../third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp:388
#32 0x00007fffccd51505 in blink::LocalDOMWindow::documentWasClosed() ()
    at ../../third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp:392
#33 0x00007fffcc1c218d in blink::Document::implicitClose() ()
    at ../../third_party/WebKit/Source/core/dom/Document.cpp:2836

Deleted: fuzz-25.html 232 bytes

fuzz-25.html 232 bytes View Download

Reproduces on normal debug build as follows:

out/debug/content_shell --single-process --js-flags="--predictable --verify-heap --stack-size=100" fuzz-25.html

The assert at
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/bindings/core/v8/ScriptWrappable.cpp?rcl=0&l=30

failed because
https://cs.chromium.org/chromium/src/third_party/WebKit/Source/bindings/core/v8/V8PerContextData.cpp?rcl=0&l=116

failed and returned an empty handle. According to the comment above this is expected when we are out of stack space (that's what happens in the test).

Here's the stack trace at the moment when this happens:

#0  blink::V8PerContextData::constructorForTypeSlowCase (this=0x1860c6c74490, type=0x7fffeb87d0e0 <blink::V8ErrorEvent::wrapperTypeInfo>)
    at ../../third_party/WebKit/Source/bindings/core/v8/V8PerContextData.cpp:117
#1  0x00007fffe8b5298f in blink::V8PerContextData::constructorForType (this=0x1860c6c74490, type=0x7fffeb87d0e0 <blink::V8ErrorEvent::wrapperTypeInfo>)
    at ../../third_party/WebKit/Source/bindings/core/v8/V8PerContextData.h:84
#2  0x00007fffe8bee7b2 in blink::V8PerContextData::createWrapperFromCacheSlowCase (this=0x1860c6c74490, type=0x7fffeb87d0e0 <blink::V8ErrorEvent::wrapperTypeInfo>)
    at ../../third_party/WebKit/Source/bindings/core/v8/V8PerContextData.cpp:92
#3  0x00007fffe8bd250f in blink::V8PerContextData::createWrapperFromCache (this=0x1860c6c74490, type=0x7fffeb87d0e0 <blink::V8ErrorEvent::wrapperTypeInfo>)
    at ../../third_party/WebKit/Source/bindings/core/v8/V8PerContextData.h:78
#4  0x00007fffe8bd1592 in blink::V8DOMWrapper::createWrapper (isolate=0x1e9036012020, creationContext=..., type=0x7fffeb87d0e0 <blink::V8ErrorEvent::wrapperTypeInfo>)
    at ../../third_party/WebKit/Source/bindings/core/v8/V8DOMWrapper.cpp:61
#5  0x00007fffe8ba44b8 in blink::ScriptWrappable::wrap (this=0x398d75503e8, isolate=0x1e9036012020, creationContext=...) at ../../third_party/WebKit/Source/bindings/core/v8/ScriptWrappable.cpp:29
#6  0x00007fffe8b1029c in blink::toV8 (impl=0x398d75503e8, creationContext=..., isolate=0x1e9036012020) at ../../third_party/WebKit/Source/bindings/core/v8/ToV8.h:41
#7  0x00007fffe8bd391b in blink::V8ErrorHandler::loadExceptionFromErrorEventWrapper (scriptState=0x1860c6d1cc08, event=0x398d75503e8, creationContext=...)
    at ../../third_party/WebKit/Source/bindings/core/v8/V8ErrorHandler.cpp:122

ClusterFuzz has detected this issue as fixed in range 455091:455392.

Detailed report: https://clusterfuzz.com/testcase?key=6478617598230528

Fuzzer: inferno_twister
Job Type: linux_asan_chrome_v8_arm
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  v8::internal::GlobalHandles::MakeWeak
  v8::V8::MakeWeak
  blink::ScriptWrappable::setWrapper
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=428077:428329
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_v8_arm&range=455091:455392

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94H5RKz66jf3J-ebNLdfFU9yLuzlkXuqRJKURz05-O65bI5K_pI-A6J-YGs8oKnpp2mVAtBZzcVytLigT_PYiyjM8AOYQjz3YB-UR356SXldqdaXL6AtLFWcZTRFR-zQ6F-XfTG2Pv73r_L2h4zD5f1zCnLSQ?testcase_id=6478617598230528


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6478617598230528 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.