Any takers to own this bug?

ClusterFuzz has detected this issue as fixed in range 35341:35342.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6039882681548800

Fuzzer: stgao_chromebot2
Job Type: linux_asan_chrome_v8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7fdd2c000000
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Recommended Security Severity: Medium

Regressed: V8: r35325:35341
Fixed: V8: r35341:35342

Minimized Testcase (7659.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95Rxh_6-brNt0HHz25_UUlcZYGym9mV40F7wPKvp1jR3Vsd3z1UKnbDPDSMcK-yzCsZp8kPUsROlsKFQTe53SneSuQHKHA5P_GXKaI05-ASqZunU8V0Xy_YZw9v8Un77ok34aDqiBskUxY0QZPOuMSBbnjvG7LGgU7Us5p6I4QK80QUMV4

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

stgao@, lijeffrey@: I managed to reproduce the issue in #1 on the provided binary and now I would like to build such a binary myself but I can't figure out which chrome revision to take. The report mentions v8-asan_linux-release_3e8ee0f0e660f39ebe723667101aab55a53e781c but this hash does not seem to be a git hash.

Is there a way to figure out chrome revision used?

Based on the log from chromebot2 below, the chromium revision seems to be "4e3f09c67d73ae2d3365594ec3911201a279ab49".
With the same binary gs://v8-asan/linux-release/asan-symbolized-linux-release-v8-component-35341.zip from the ClusterFuzz testcase, you could open page "chrome://version" to check the revision/version of chrome too.

Maybe machenbach@ has a better idea on how to do the mapping from the v8 version to chromium revision?

-----------------------------------------------
2016-04-07 17:46:31,428 MainThread INFO: Http request to DevTools: http://127.0.0.1:55731/json/version
2016-04-07 17:46:32,633 MainThread INFO: Http response: {
   "Browser": "Chrome/51.0.2703.0",
   "Protocol-Version": "1.1",
   "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2703.0 Safari/537.36",
   "WebKit-Version": "537.36 (@4e3f09c67d73ae2d3365594ec3911201a279ab49)"
}

The report has this archive:
https://storage.cloud.google.com/v8-asan/linux-release/asan-symbolized-linux-release-v8-component-35341.zip

The v8 commit position 35341 maps to https://chromium.googlesource.com/v8/v8/+/920370d1a910681bf464bd91aced316058ea2f6c, which was reverted a few commits later (CC'ed author).

It was originally built here:
https://build.chromium.org/p/client.v8.fyi/builders/Chromium%20ASAN%20%28symbolized%29/builds/694
Using this chromium revision: 4e3f09c67d73ae2d3365594ec3911201a279ab49

Note that the original chromium builds might use a different v8. This was built on the v8 waterfall with the newer v8 version as noted above.

Unfortunately the crash I managed to see on my local build was something different. And I managed to catch neither original crash on asan build nor my crash in the debugger. 
On debug builds the crash did not reproduce at all.

Marking as WontFix according to c#4.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot