Related to either the three-tier pipeline or Ignition. I'll have a look.

Reproduces as follows on tip of tree ...

$ git checkout 39d08198bd1d8f28c71d0c4f684582b462216364
$ make -j1000 x64.debug
$ ./out/x64.debug/d8 --es-staging --ignition test/mjsunit/foo.js
$ cat test/mjsunit/foo.js

"use strict";
for (var i = 0; i < 100000; i++) {
  Object.prototype['generatedProperty'+i] = true;
}
function f(x) {
  var a = [];
  for (let p in x);
  return a.sort();
}
f({});
f({});
f({});
f({});

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6086500328669184

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv94eCaN9G7b6Yy6VkMji7xCh69vh_2t82edg1h-4E8XuiGuzAeQ9UgEatwUDYUx4homcsWCZLl5Z1ml6wYHLDG_dJu2Qsts7buO2VFAnGdiVViiWsDuRpWMrM01QJMLxphuh1ckUa0pnCFsTsgbqnbB4FEMwFg?testcase_id=6086500328669184


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

No longer reproduces. Underlying issue has been fixed by now. Closing.