Regression range points to d61a5c376ba51145dc4684e39d5d3a9ce75bcfa6.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/38ad63ff15d7e379423be4c57ae94ae2c9ffb4af

commit 38ad63ff15d7e379423be4c57ae94ae2c9ffb4af
Author: hpayer <hpayer@chromium.org>
Date: Tue Jun 07 15:19:29 2016

[heap] Clear out of live range remembered set slots in large objects.

BUG= chromium:617882 
LOG=n

Review-Url: https://codereview.chromium.org/2043713006
Cr-Commit-Position: refs/heads/master@{#36795}

[modify] https://crrev.com/38ad63ff15d7e379423be4c57ae94ae2c9ffb4af/src/heap/spaces.cc
[modify] https://crrev.com/38ad63ff15d7e379423be4c57ae94ae2c9ffb4af/src/heap/spaces.h
[add] https://crrev.com/38ad63ff15d7e379423be4c57ae94ae2c9ffb4af/test/mjsunit/regress/regress-617882.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/67af060318aef99e1a8d8c3d9eab771a930e5c3e

commit 67af060318aef99e1a8d8c3d9eab771a930e5c3e
Author: machenbach <machenbach@chromium.org>
Date: Tue Jun 07 18:28:05 2016

Revert of [heap] Clear out of live range remembered set slots in large objects. (patchset #2 id:20001 of https://codereview.chromium.org/2043713006/ )

Reason for revert:
Fails arm sim:
https://build.chromium.org/p/client.v8.ports/builders/V8%20Linux%20-%20arm%20-%20sim/builds/1012

Original issue's description:
> [heap] Clear out of live range remembered set slots in large objects.
>
> BUG= chromium:617882 
> LOG=n
>
> Committed: https://crrev.com/38ad63ff15d7e379423be4c57ae94ae2c9ffb4af
> Cr-Commit-Position: refs/heads/master@{#36795}

TBR=ulan@chromium.org,hpayer@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= chromium:617882 

Review-Url: https://codereview.chromium.org/2042403002
Cr-Commit-Position: refs/heads/master@{#36799}

[modify] https://crrev.com/67af060318aef99e1a8d8c3d9eab771a930e5c3e/src/heap/spaces.cc
[modify] https://crrev.com/67af060318aef99e1a8d8c3d9eab771a930e5c3e/src/heap/spaces.h
[delete] https://crrev.com/839f3fd406426a221d74eb7a33a72794c3c7a548/test/mjsunit/regress/regress-617882.js

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5252745313648640

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7fbf70d488e0
Crash State:
  v8::internal::PointerUpdateJobTraits<
  int v8::internal::SlotSet::Iterate<v8::internal::PointerUpdateJobTraits<
  v8::internal::PointerUpdateJobTraits<
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36798:36799

Minimized Testcase (0.28 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv947Ivgoypm6xIBzd1akFZYJ5bJrMOTqVFA2DEw8XfMjVXdvIgtVOn8qHb_IRQBFeH_d5BIQ5dp7PtC1r9vUwFL_GwEoFcA6KWOvqBgI0BSPjPCNkk4KpxsWImPxBclBhheFGtC5J0S7jQKTplaKC8pv8id71g
__v_0 = 70000;
function __f_14(__v_3) {
  if ((__v_3 % 50) != 0) {
    return __v_3 + 0.5;
  }
}
function __f_13(a) {
  for (var __v_3= 0; __v_3 < __v_0; ++__v_3 ) {
    a[__v_3] = __f_14(__v_3);
  }
}
function __f_2() {
}
__v_5 = new Array();
__f_13(__v_5);
__v_5.length = 25;
gc();


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 36806:36807.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5252745313648640

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x7fbf70d488e0
Crash State:
  v8::internal::PointerUpdateJobTraits<
  int v8::internal::SlotSet::Iterate<v8::internal::PointerUpdateJobTraits<
  v8::internal::PointerUpdateJobTraits<
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36798:36799
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_ignition_dbg&range=36806:36807

Minimized Testcase (0.28 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv947Ivgoypm6xIBzd1akFZYJ5bJrMOTqVFA2DEw8XfMjVXdvIgtVOn8qHb_IRQBFeH_d5BIQ5dp7PtC1r9vUwFL_GwEoFcA6KWOvqBgI0BSPjPCNkk4KpxsWImPxBclBhheFGtC5J0S7jQKTplaKC8pv8id71g
__v_0 = 70000;
function __f_14(__v_3) {
  if ((__v_3 % 50) != 0) {
    return __v_3 + 0.5;
  }
}
function __f_13(a) {
  for (var __v_3= 0; __v_3 < __v_0; ++__v_3 ) {
    a[__v_3] = __f_14(__v_3);
  }
}
function __f_2() {
}
__v_5 = new Array();
__f_13(__v_5);
__v_5.length = 25;
gc();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

- Your friendly ClusterFuzz

Sorry for the incorrect ClusterFuzz update, please ignore it. Reopening bug.

Please mark security bugs as fixed as soon as the fix lands, and before requesting merges.

- Your friendly ClusterFuzz

I am confused, why is it again marked as fixed?

It was because of the Merge-Triage label, which is only expected to be applied after an issue is fixed.

hpayer: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The involved CLs were reverted shortly after landing. Nothing to do here.

Security_Impact-None per #17

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot