core(source-maps): guard against out-of-bounds sourceIndex

[ducky-duke]

Summary

When a source map has an empty or malformed sources array, this.#sourceInfos[sourceIndex] is undefined, causing:

TypeError: Cannot read properties of undefined (reading 'sourceURL')
    at SourceMap.parseMap (SourceMap.js:384:56)

This crash is caught by the try/catch in #ensureMappingsProcessed, so the scan continues — but it logs a noisy error and prevents the DuplicatedJavaScript insight from running for the affected page.

Changes

• core/lib/cdt/generated/SourceMap.js: Add optional chaining (?.) to both this.#sourceInfos[sourceIndex].sourceURL access sites in parseMap (lines 384 and 407).
• build/build-cdt-lib.js:
  • Add a rawCodeToReplace entry so the fix survives CDT source re-rolls.
  • Use replaceAll instead of replace in the raw-code replacement loop to ensure all occurrences of a pattern are substituted (previously only the first match was replaced).

Reproduction

Run Lighthouse on any page that serves a source map with an empty sources array or where the VLQ-decoded source index exceeds the bounds of the sources array.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[connorjclark]

looks good, thanks! CI failures are unrelated.

[paulirish]

Good fix.. Appreciate the contribution @ducky-duke !