[mac bug triage]

Hi hiroshige, could you help triage? Not sure if your CL https://chromium.googlesource.com/chromium/src/+/489fa402ff6ec3e74127929820b622407e979bb5 is the cause, but you would know more about this part of the code to help redirect.

Thank you!

kouhei@, could you take a look?
Feel free to assign back to me if you want and this is not known to you.

This can be reproduced on a regular (non-asan) build when using --single-process.

The crash seems to be related to inline module scripts. If I move the inline code into its own file and use a <script type=module src=...> to load that, I don't get the crash.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/87dc11bdb4e1cf4ba674f3907fa1127f8839ad40

commit 87dc11bdb4e1cf4ba674f3907fa1127f8839ad40
Author: kouhei <kouhei@chromium.org>
Date: Tue May 16 23:28:20 2017

[ES6 modules] ModuleTreeLinker::Instantiate shouldn't proceed on invalid context

Before this CL, ModuleTreeLinker::Instantiate assumed that it is only called for
modulator with a valid context. However, asynchronous module graph node load
completion may be triggered after the context was destroyed.

This CL fixes the issue by making ModuleTreeLinker::Instantiate fail without crashing
if the context is invalid.

BUG= 594639 , 716935 

Review-Url: https://codereview.chromium.org/2886593002
Cr-Commit-Position: refs/heads/master@{#472246}

[add] https://crrev.com/87dc11bdb4e1cf4ba674f3907fa1127f8839ad40/third_party/WebKit/LayoutTests/http/tests/dom/script-module-load-incomplete-no-crash-expected.txt
[add] https://crrev.com/87dc11bdb4e1cf4ba674f3907fa1127f8839ad40/third_party/WebKit/LayoutTests/http/tests/dom/script-module-load-incomplete-no-crash.html
[modify] https://crrev.com/87dc11bdb4e1cf4ba674f3907fa1127f8839ad40/third_party/WebKit/Source/core/dom/Modulator.h
[modify] https://crrev.com/87dc11bdb4e1cf4ba674f3907fa1127f8839ad40/third_party/WebKit/Source/core/dom/ModulatorImpl.cpp
[modify] https://crrev.com/87dc11bdb4e1cf4ba674f3907fa1127f8839ad40/third_party/WebKit/Source/core/dom/ModulatorImpl.h
[modify] https://crrev.com/87dc11bdb4e1cf4ba674f3907fa1127f8839ad40/third_party/WebKit/Source/core/loader/modulescript/ModuleTreeLinker.cpp
[modify] https://crrev.com/87dc11bdb4e1cf4ba674f3907fa1127f8839ad40/third_party/WebKit/Source/core/testing/DummyModulator.cpp
[modify] https://crrev.com/87dc11bdb4e1cf4ba674f3907fa1127f8839ad40/third_party/WebKit/Source/core/testing/DummyModulator.h

ClusterFuzz has detected this issue as fixed in range 472186:472211.

Detailed report: https://clusterfuzz.com/testcase?key=6436563883130880

Fuzzer: inferno_layout_test_unmodified
Job Type: mac_asan_content_shell
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  blink::ScriptModule::ResolveModuleCallback
  v8::internal::Module::PrepareInstantiate
  v8::internal::Module::Instantiate
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=468049:468103
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_content_shell&range=472186:472211

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6436563883130880


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6436563883130880 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.