Assigning to the concern owner who is working on similar type of Crash State.

@japhet -- Could you please look into it issue, kindly re-assign if this not related your changes.
Thank You.

Reproduced locally on Linux:

$ ./out/Release/chrome --disable-popup-blocking file:///path/to/clusterfuzz-testcase-minimized-6090201880592384.HTM

(Flaky, one crash per 3~4 runs?)

Without --disable-popup-blocking, I didn't observe the crash (in ~10 runs).

Looks like FontFace::SetLoadStatus() needs a null check for ExecutionContext.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/fb8a2de8d8190bacdaf53689c7762c9491f654ee

commit fb8a2de8d8190bacdaf53689c7762c9491f654ee
Author: Nate Chapin <japhet@chromium.org>
Date: Tue Sep 12 20:31:46 2017

Ensure all non-keepalive request really are stopped in ResourceFetcher::ClearContext

Cancelling a font load can start a new fallback load inside
ResourceFetcher::StopFetching. This is a problem if StopFetching() is called
due to the ResourceFetcher detaching, and leaves a semi-detached resource load
in progress.

Bug: 763040,  763387 
Test: http/tests/webfont/multiple-font-src-detach.html
Change-Id: If366431abc4752b61d760d10687fd4a81d78ebc1
Reviewed-on: https://chromium-review.googlesource.com/663880
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Nate Chapin <japhet@chromium.org>
Cr-Commit-Position: refs/heads/master@{#501382}
[add] https://crrev.com/fb8a2de8d8190bacdaf53689c7762c9491f654ee/third_party/WebKit/LayoutTests/http/tests/webfont/multiple-font-src-detach-expected.txt
[add] https://crrev.com/fb8a2de8d8190bacdaf53689c7762c9491f654ee/third_party/WebKit/LayoutTests/http/tests/webfont/multiple-font-src-detach.html
[modify] https://crrev.com/fb8a2de8d8190bacdaf53689c7762c9491f654ee/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/95309c8b8d74786327442c9c8e2619c0cf5d077b

commit 95309c8b8d74786327442c9c8e2619c0cf5d077b
Author: Raymond Toy <rtoy@chromium.org>
Date: Tue Sep 12 21:27:06 2017

Ensure all non-keepalive request really are stopped in ResourceFetcher::ClearContext

Cancelling a font load can start a new fallback load inside
ResourceFetcher::StopFetching. This is a problem if StopFetching() is called
due to the ResourceFetcher detaching, and leaves a semi-detached resource load
in progress.

TBR=japhet@chromium.org

(cherry picked from commit fb8a2de8d8190bacdaf53689c7762c9491f654ee)

Bug: 763040,  763387 
Test: http/tests/webfont/multiple-font-src-detach.html
Change-Id: If366431abc4752b61d760d10687fd4a81d78ebc1
Reviewed-on: https://chromium-review.googlesource.com/663880
Reviewed-by: Mike West <mkwst@chromium.org>
Commit-Queue: Nate Chapin <japhet@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#501382}
Reviewed-on: https://chromium-review.googlesource.com/663762
Reviewed-by: Raymond Toy <rtoy@chromium.org>
Cr-Commit-Position: refs/branch-heads/3213@{#4}
Cr-Branched-From: 58ee71082b735f6dae76665b444d534d9832b45c-refs/heads/master@{#501132}
[add] https://crrev.com/95309c8b8d74786327442c9c8e2619c0cf5d077b/third_party/WebKit/LayoutTests/http/tests/webfont/multiple-font-src-detach-expected.txt
[add] https://crrev.com/95309c8b8d74786327442c9c8e2619c0cf5d077b/third_party/WebKit/LayoutTests/http/tests/webfont/multiple-font-src-detach.html
[modify] https://crrev.com/95309c8b8d74786327442c9c8e2619c0cf5d077b/third_party/WebKit/Source/platform/loader/fetch/ResourceFetcher.cpp

Oh cool, assigning back to Nate :)

ClusterFuzz has detected this issue as fixed in range 501360:501419.

Detailed report: https://clusterfuzz.com/testcase?key=6090201880592384

Fuzzer: inferno_webbot
Job Type: windows_asan_chrome
Platform Id: windows

Crash Type: Null-dereference READ
Crash Address: 0x00000000
Crash State:
  blink::TaskRunnerHelper::Get
  blink::FontFace::GetTaskRunner
  blink::FontFace::SetLoadStatus
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=500415:500470
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_chrome&range=501360:501419

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6090201880592384

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6090201880592384 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.