This is a benign issue because we are crashing while reporting a fatal OOM situation. We could investigate as to why the stack trace cannot be printed properly and whether this indicates another issue. Reproduces as follows ...

$ ~/Development/v8.git/out/ia32.debug/d8 --enable-slow-asserts --ignition mutant18464_short-circuit.js

#
# Fatal error in .././src/objects-inl.h, line 3143
# Check failed: !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()).
#

==== C stack trace ===============================

 1: V8_Fatal
 2: v8::internal::JSObject::cast(v8::internal::Object*)
 3: v8::internal::StringStream::PrintPrototype(v8::internal::JSFunction*, v8::internal::Object*)
 4: v8::internal::StringStream::PrintFunction(v8::internal::Object*, v8::internal::Object*, v8::internal::Code**)
 5: v8::internal::JavaScriptFrame::Print(v8::internal::StringStream*, v8::internal::StackFrame::PrintMode, int) const
 6: 0x8ecda05
 7: v8::internal::Isolate::PrintStack(v8::internal::StringStream*, v8::internal::Isolate::PrintStackMode)
 8: v8::internal::Heap::RecordStats(v8::internal::HeapStats*, bool)
 9: v8::internal::V8::FatalProcessOutOfMemory(char const*, bool)
10: v8::internal::Heap::FatalProcessOutOfMemory(char const*, bool)
11: v8::internal::Factory::NewRawTwoByteString(int, v8::internal::PretenureFlag)
12: v8::internal::EscapeRegExpSource(v8::internal::Isolate*, v8::internal::Handle<v8::internal::String>)
13: v8::internal::JSRegExp::Initialize(v8::internal::Handle<v8::internal::JSRegExp>, v8::internal::Handle<v8::internal::String>, v8::base::Flags<v8::internal::JSRegExp::Flag, int>)
14: v8::internal::JSRegExp::Initialize(v8::internal::Handle<v8::internal::JSRegExp>, v8::internal::Handle<v8::internal::String>, v8::internal::Handle<v8::internal::String>)
15: 0x9536521
16: v8::internal::Runtime_RegExpInitializeAndCompile(int, v8::internal::Object**, v8::internal::Isolate*)
17: 0x36f12bbc
18: 0x36f407d6
19: 0x36f3c96c
20: 0x36f4060e
21: 0x36f3c96c
22: 0x36f0bff6
23: 0x36f361c6
24: 0x36f40bf7
25: 0x36f3c96c
26: 0x36f3c3be
27: 0x36f14243
28: 0x8d53efc
29: v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*)
30: v8::Script::Run(v8::Local<v8::Context>)
31: v8::Shell::ExecuteString(v8::Isolate*, v8::Local<v8::String>, v8::Local<v8::Value>, bool, bool, v8::Shell::SourceType)
32: v8::SourceGroup::Execute(v8::Isolate*)
33: v8::Shell::RunMain(v8::Isolate*, int, char**, bool)
34: v8::Shell::Main(int, char**)
35: main
36: __libc_start_main
Illegal instruction (core dumped)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/bbbf21c240918ef70384c58d5aaa2ee12af6bfc1

commit bbbf21c240918ef70384c58d5aaa2ee12af6bfc1
Author: ishell <ishell@chromium.org>
Date: Wed Jun 22 11:22:48 2016

Don't crash when trying to print a call stack of an OOM.

Receiver is the hole when we construct a builtin object.

BUG= chromium:611684 

Review-Url: https://codereview.chromium.org/2083163003
Cr-Commit-Position: refs/heads/master@{#37182}

[modify] https://crrev.com/bbbf21c240918ef70384c58d5aaa2ee12af6bfc1/src/string-stream.cc

ClusterFuzz has detected this issue as fixed in range 37181:37182.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5789061444272128

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in objects-inl
  
Fixed: V8: r37181:37182

Minimized Testcase (8.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yDjRdYFfoupT8OWl9xg1JKffCvQSzhnF5Esj0Fl7tKVXbhsgcjZmwV7NX7jqVvCpCVOCx812h1QQEK5VG-k0dVJaOGkhCtpzgf6cUlu0o-HGIfk0MyzFHVOo_qJ_8O0TdgTqS-5exsiOJ99VsAJ_gZSnjvg?testcase_id=5789061444272128

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 37181:37182.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5789061444272128

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in objects-inl
  
Fixed: V8: r37181:37182

Minimized Testcase (8.75 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94yDjRdYFfoupT8OWl9xg1JKffCvQSzhnF5Esj0Fl7tKVXbhsgcjZmwV7NX7jqVvCpCVOCx812h1QQEK5VG-k0dVJaOGkhCtpzgf6cUlu0o-HGIfk0MyzFHVOo_qJ_8O0TdgTqS-5exsiOJ99VsAJ_gZSnjvg?testcase_id=5789061444272128

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot