The CL in question was already reverted. Just FYI in case the repro helps investigation.

ClusterFuzz has detected this issue as fixed in range 36142:36143.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5494987147444224

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: Heap-use-after-free READ 8
Crash Address: 0x615000007578
Crash State:
  v8::internal::ElementsAccessorBase<v8::internal::TypedElementsAccessor<
  v8::internal::LookupIterator::FetchValue
  v8::internal::LookupIterator::GetDataValue
  
Recommended Security Severity: High

Regressed: V8: r36139:36140
Fixed: V8: r36142:36143

Minimized Testcase (6.53 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96zXcmPDsQt6NmqDMzHtfGOfoo6y23A4AsXABQIMKgbKxuitrZonIap43s0WhbaHj3f2_6kE76cayTBcRpeKl9MG7conAO5J6k4PjbstcjhVBm-Je9KupHtOb9SUIQ4DA6BbwlFeyCoKckaFVCTgPvrjiQeLA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Since this is filed as a security bug I'm going to mark it as fixed since we need to track these carefully. If it's necessary, could you file a new bug to track any ongoing work?

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot