Let notifyScriptLoader() handle already detached ScriptLoaders.

If a ScriptRunner has been disposed of already, allow ScriptLoaders
to notify of their failure without asserting.

R=haraken
BUG=570012

Review URL: https://codereview.chromium.org/1644483002

Cr-Commit-Position: refs/heads/master@{#371772}

third_party/WebKit/Source/core/dom/ScriptLoader.h

@@ -86,6 +86,9 @@ public:
 
     // Clears the connection to the PendingScript (and Element and Resource).
     void detach();
+#if !ENABLE(OILPAN)
+    bool isDetached() const { return !m_pendingScript; }
+#endif
 
 protected:
     ScriptLoader(Element*, bool createdByParser, bool isEvaluated);

third_party/WebKit/Source/core/dom/ScriptRunner.cpp

@@ -204,12 +204,22 @@ void ScriptRunner::notifyScriptLoadError(ScriptLoader* scriptLoader, ExecutionTy
         // where the ScriptLoader is associated with the wrong ScriptRunner
         // (otherwise we'd cause a use-after-free in ~ScriptRunner when it tries
         // to detach).
-        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(m_pendingAsyncScripts.contains(scriptLoader));
+        bool foundLoader = m_pendingAsyncScripts.contains(scriptLoader);
+#if !ENABLE(OILPAN)
+        // If the ScriptRunner has been disposed of, no pending scripts remain.
+        // Verify that the ScriptLoader is in a detached state, if so.
+        foundLoader = foundLoader || (scriptLoader->isDetached() && m_pendingAsyncScripts.isEmpty());
+#endif
+        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(foundLoader);
         m_pendingAsyncScripts.remove(scriptLoader);
         break;
     }
     case IN_ORDER_EXECUTION:
-        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(removePendingInOrderScript(scriptLoader));
+        bool foundLoader = removePendingInOrderScript(scriptLoader);
+#if !ENABLE(OILPAN)
+        foundLoader = foundLoader || (scriptLoader->isDetached() && m_pendingInOrderScripts.isEmpty());
+#endif
+        RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(foundLoader);
         break;
     }
     scriptLoader->detach();