Not a V8 issue.

The ExecutionContext is null.

dominicc@ when do we expect to see a null execution context on a Node? Shouldn't it always have an associated document?

This looks like an interesting crash. Nodes should have owner documents, but this has adoption which changes documents.

Is this flaky or can you simply bisect the regression range?

It is certainly reproducible and I can debug it... I just am not certain where to look. If you download the test case it fails in 58 as well.. I can try a bisect tomorrow if you think it will help.

Ah, so CF's regression range is wrong. I bisected it to this:

https://chromium.googlesource.com/chromium/src/+/05c2d71f2c3cab4c40c3d775b304d0bbfbd166bd

sigbjornf, PTAL.

Here's a repro.

Deleted: cr714353.html 161 bytes

cr714353.html 161 bytes View Download

Thanks very much dominicc@, a pinpoint bisect _and_ a repro testcase :) We need to adjust where this probing for being in a document parsing state happens, so as to handle the frame-detached case better, I think.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3c689934871ad2f934d37938b67e7a3fb2b65987

commit 3c689934871ad2f934d37938b67e7a3fb2b65987
Author: sigbjornf <sigbjornf@opera.com>
Date: Mon May 01 05:55:04 2017

Fix detached event listener attribute updating.

The parser will in some cases create new elements in documents that
have become frame-detached. Account for that -- no execution context
due to the document having become detached -- when processing the
event listeners of an event attribute.

R=haraken
BUG= 714353 

Review-Url: https://codereview.chromium.org/2855443002
Cr-Commit-Position: refs/heads/master@{#468294}

[add] https://crrev.com/3c689934871ad2f934d37938b67e7a3fb2b65987/third_party/WebKit/LayoutTests/fast/events/event-listener-detached.html
[modify] https://crrev.com/3c689934871ad2f934d37938b67e7a3fb2b65987/third_party/WebKit/Source/bindings/core/v8/V8AbstractEventListener.cpp

ClusterFuzz has detected this issue as fixed in range 468288:468304.

Detailed report: https://clusterfuzz.com/testcase?key=5573787967029248

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0x00000000
Crash State:
  blink::V8AbstractEventListener::BelongsToTheCurrentWorld
  blink::EventTarget::GetAttributeEventListener
  blink::EventTarget::ClearAttributeEventListener
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=435133:435159
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=468288:468304

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5573787967029248


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 717005  has been merged into this issue.