Argh. The zero-size buffer attached to vertex attribute 0, which should theoretically be being ignored since it isn't consumed by the program, seems to be being dereferenced by the driver.

Thanks for taking this kainino@. I'm not sure whether we just need to disable vertex attribute 0 if it's unconsumed (on the Core Profile or ES drivers -- not compatibility profile -- there it has to be present and cover the draw call via simulation), or whether we need to do the same for all enabled but unconsumed vertex attribute pointers. Please investigate. Thanks.

Confirmed doesn't seem to crash if using vertex attribute 1 instead of 0.

Bisected this issue just as a sanity check. The bisect result was:
https://chromium.googlesource.com/chromium/src/+log/e8b7133f781db0fe40ba704b9655d16ba3c2be7e..f706bdbb998d22ed558096def2126cf965c5dfb8
which certainly narrows it down to the change to enable Core Profile on Mac:
https://chromium.googlesource.com/chromium/src/+/1eb4627c819627991316dc07225cb76d7f3b7e35

Forgot to mark as started.

This is a concrete special case of  issue 740278 . Merging.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1f98b98ade43dcf76219832e6cf929c3bb0d95a6

commit 1f98b98ade43dcf76219832e6cf929c3bb0d95a6
Author: Kai Ninomiya <kainino@chromium.org>
Date: Tue Aug 29 16:49:49 2017

Disable attributes which are enabled, but unconsumed by the program

This is take 3 of the patch at http://crrev.com/c/627481

Bug:  756293 ,  740278 
Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: Ib6bdd7c3b04d91d41dd41dea63a07e782cc7e5cb
Reviewed-on: https://chromium-review.googlesource.com/636513
Commit-Queue: Kai Ninomiya <kainino@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#498141}
[modify] https://crrev.com/1f98b98ade43dcf76219832e6cf929c3bb0d95a6/gpu/command_buffer/build_gles2_cmd_buffer.py
[modify] https://crrev.com/1f98b98ade43dcf76219832e6cf929c3bb0d95a6/gpu/command_buffer/service/context_state.cc
[modify] https://crrev.com/1f98b98ade43dcf76219832e6cf929c3bb0d95a6/gpu/command_buffer/service/gles2_cmd_decoder.cc
[modify] https://crrev.com/1f98b98ade43dcf76219832e6cf929c3bb0d95a6/gpu/command_buffer/service/gles2_cmd_decoder_unittest_1_autogen.h
[modify] https://crrev.com/1f98b98ade43dcf76219832e6cf929c3bb0d95a6/gpu/command_buffer/service/gles2_cmd_decoder_unittest_attribs.cc
[modify] https://crrev.com/1f98b98ade43dcf76219832e6cf929c3bb0d95a6/gpu/command_buffer/service/gles2_cmd_decoder_unittest_base.cc
[modify] https://crrev.com/1f98b98ade43dcf76219832e6cf929c3bb0d95a6/gpu/command_buffer/service/gles2_cmd_decoder_unittest_base.h
[modify] https://crrev.com/1f98b98ade43dcf76219832e6cf929c3bb0d95a6/gpu/command_buffer/service/vertex_attrib_manager.cc
[modify] https://crrev.com/1f98b98ade43dcf76219832e6cf929c3bb0d95a6/gpu/command_buffer/service/vertex_attrib_manager.h

ClusterFuzz has detected this issue as fixed in range 498140:498349.

Detailed report: https://clusterfuzz.com/testcase?key=5471760211509248

Fuzzer: mbarbella_webgl
Job Type: mac_asan_chrome
Platform Id: mac

Crash Type: Null-dereference READ
Crash Address: 0x000000000000
Crash State:
  gleRunVertexSubmitImmediate
  glDrawArrays_GL3Exec
  gpu::gles2::GLES2DecoderImpl::DoDrawArrays
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=415049:415582
Fixed: https://clusterfuzz.com/revisions?job=mac_asan_chrome&range=498140:498349

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5471760211509248

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/37f0b5bfd017a546822e698587cab533cce7d007

commit 37f0b5bfd017a546822e698587cab533cce7d007
Author: Kenneth Russell <kbr@chromium.org>
Date: Sun Sep 17 10:06:40 2017

Roll WebGL 559e304..365cb1e

https://chromium.googlesource.com/external/khronosgroup/webgl.git/+log/559e304..365cb1e

BUG= 756293 ,  765729 ,  765953 ,  angleproject:2140 ,  angleproject:2141 ,  angleproject:2142 
TBR=zmo@chromium.org, kainino@chromium.org
TEST=bots

CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Cq-Include-Trybots: master.tryserver.chromium.android:android_optional_gpu_tests_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel
Change-Id: I0b68ded8bb565c9786269612038f3b903eb02041
Reviewed-on: https://chromium-review.googlesource.com/669724
Commit-Queue: Kai Ninomiya <kainino@chromium.org>
Reviewed-by: Kenneth Russell <kbr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#502524}
[modify] https://crrev.com/37f0b5bfd017a546822e698587cab533cce7d007/DEPS
[modify] https://crrev.com/37f0b5bfd017a546822e698587cab533cce7d007/content/test/gpu/gpu_tests/webgl2_conformance_expectations.py
[modify] https://crrev.com/37f0b5bfd017a546822e698587cab533cce7d007/content/test/gpu/gpu_tests/webgl_conformance_expectations.py
[modify] https://crrev.com/37f0b5bfd017a546822e698587cab533cce7d007/content/test/gpu/gpu_tests/webgl_conformance_revision.txt