Regressed at: https://chromium-review.googlesource.com/620510

There are also crashes on the dashboard:
https://crash.corp.google.com/browse?q=custom_data.ChromeCrashProto.magic_signature_1.name%3D%27content%3A%3AServiceWorkerProviderContext%3A%3ACreateWorkerClientRequest%27&ignore_case=false&enable_rewrite=false&omit_field_name=&omit_field_value=&omit_field_opt=&unnest=

Where we wrong about CreateWorkerClientRequest() only called for controllees?

According to the crash/6e2d337af6f6e52b, it is crashing because the ServiceWorkerProviderContext is null.

Deleted: 6e2d337af6f6e52b.png 90.5 KB

	6e2d337af6f6e52b.png 90.5 KB View Download

Ah, is the ServiceWorkerProviderContext null in sandboxed iframes?
Investigating...

The ServiceWorkerProviderContext is null in sandboxed iframes.

https://chromium.googlesource.com/chromium/src/+/3ad7ae1fa15072d13d29d0e1adc7600e572500b5/content/child/service_worker/service_worker_network_provider.cc#165

So we have to check the existence.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/aa9c45f113d12b207597e909e679279ea8ede5e6

commit aa9c45f113d12b207597e909e679279ea8ede5e6
Author: Tsuyoshi Horo <horo@chromium.org>
Date: Mon Aug 28 07:38:09 2017

Check the existence of ServiceWorkerProviderContext

And add Service Worker fetch tests for fetching from worker in sandboxed iframes.

Bug:  759200 ,  756571 
Change-Id: Id0d74a469bb1afc8ac26439aa5968fda670a6daf
Reviewed-on: https://chromium-review.googlesource.com/637059
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Tsuyoshi Horo <horo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497705}
[modify] https://crrev.com/aa9c45f113d12b207597e909e679279ea8ede5e6/content/renderer/render_frame_impl.cc
[modify] https://crrev.com/aa9c45f113d12b207597e909e679279ea8ede5e6/content/renderer/service_worker/worker_fetch_context_impl.cc
[modify] https://crrev.com/aa9c45f113d12b207597e909e679279ea8ede5e6/content/renderer/service_worker/worker_fetch_context_impl.h
[modify] https://crrev.com/aa9c45f113d12b207597e909e679279ea8ede5e6/third_party/WebKit/LayoutTests/http/tests/serviceworker/chromium/resources/sandboxed-iframe-fetch-event-iframe.html
[modify] https://crrev.com/aa9c45f113d12b207597e909e679279ea8ede5e6/third_party/WebKit/LayoutTests/http/tests/serviceworker/chromium/sandboxed-iframe-fetch-event.html

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/141bc3819f90b2b4e5421e05a781dbc2145e855f

commit 141bc3819f90b2b4e5421e05a781dbc2145e855f
Author: Tsuyoshi Horo <horo@chromium.org>
Date: Mon Aug 28 11:06:46 2017

Revise comment in RenderFrameImpl::CreateWorkerFetchContext()

Bug:  759200 ,  756571 
Change-Id: I15e4e036a9bcb2cb36a131eb6b8196a4d091f1e0
Reviewed-on: https://chromium-review.googlesource.com/636727
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Tsuyoshi Horo <horo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#497732}
[modify] https://crrev.com/141bc3819f90b2b4e5421e05a781dbc2145e855f/content/renderer/render_frame_impl.cc

Just to Update, this crash behavior is recently seen on Mac OS

Mac OS instances
62.0.3198.0	6.45%	2	
62.0.3197.0	93.55%	29	

Windows OS instances
62.0.3197.3	5.26%	1	
62.0.3197.2	10.53%	2	
62.0.3197.1	26.32%	5	
62.0.3197.0	52.63%	10

Since the fix is recently landed, will verify the fix in tomorrow canary and update the latest behavior. 
      

ClusterFuzz has detected this issue as fixed in range 497700:497708.

Detailed report: https://clusterfuzz.com/testcase?key=6415381840527360

Fuzzer: inferno_layout_test_unmodified
Job Type: windows_syzyasan_chrome
Platform Id: windows

Crash Type: Null-dereference
Crash Address: 0x0000002b
Crash State:
  content::ServiceWorkerProviderContext::CreateWorkerClientRequest
  content::RenderFrameImpl::CreateWorkerFetchContext
  blink::ThreadedMessagingProxyBase::ThreadedMessagingProxyBase
  
Memory Tool: SYZYASAN

Regressed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=497357:497373
Fixed: https://clusterfuzz.com/revisions?job=windows_syzyasan_chrome&range=497700:497708

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6415381840527360

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6415381840527360 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.