The regression range points to 1ef7487b657e4b1a86cf778ac062b25de5001af7.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4698353829150720

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  p->key == __null in hashmap.h
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_d8_dbg&range=35430:35431

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95cjuvokXpNtujasahUkOtlMReQyQLTBvJNOPR8TNmbzKD3pm0Lq-7joVO0x-4WFZCNsqXJV1SgsHMna3aQwKdcK969SF5lVKPcFRprAs3ZsDFwRUfQ96spE3SAVgTMkRJ2H3iIpUbudcdByQoal3iT9BpAeg


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

==== C stack trace ===============================

 1: 0x2c32d46
 2: 0x2c332af
 3: 0x51e502
 4: 0x13de85b
 5: 0x13de5f4
 6: 0x11c7eb5
 7: 0x1291bc2
 8: 0x12afbbe
 9: 0x116b1a7
10: 0x107ae54
11: 0x107aab5
12: 0x107a34a
13: 0x1079f36
14: 0x1075906
15: 0x27b3e94
16: 0x27b342b
17: 0x7f3f6b2085c6

Program received signal SIGILL, Illegal instruction.
0x0000000002c45837 in v8::base::OS::Abort ()
    at ../../src/base/platform/platform-posix.cc:240
240         V8_IMMEDIATE_CRASH();
(gdb) bt
#0  0x0000000002c45837 in v8::base::OS::Abort ()
    at ../../src/base/platform/platform-posix.cc:240
#1  0x0000000002c332f3 in V8_Fatal (
    file=0x33dcdc0 <.str> "../../src/hashmap.h", line=144, 
    format=0x33da920 <.str> "Check failed: %s.")
    at ../../src/base/logging.cc:116
#2  0x000000000051e502 in v8::internal::TemplateHashMapImpl<v8::internal::FreeStoreAllocationPolicy>::InsertNew (this=0x60b00000ab18, key=0x7f3f6a0, 
    hash=133428896, allocator=...) at ../../src/hashmap.h:144
#3  0x00000000013de85b in v8::internal::LargeObjectSpace::InsertChunkMapEntries
    (this=0x60b00000aac0, page=0x7f3f6a000000) at ../../src/heap/spaces.cc:3085
#4  0x00000000013de5f4 in v8::internal::LargeObjectSpace::AllocateRaw (
    this=0x60b00000aac0, object_size=853448, 
    executable=v8::internal::NOT_EXECUTABLE) at ../../src/heap/spaces.cc:3013
#5  0x00000000011c7eb5 in v8::internal::Heap::AllocateRaw (
    this=0x62b000000220, size_in_bytes=853448, space=v8::internal::LO_SPACE, 
    alignment=v8::internal::kWordAligned) at ../../src/heap/heap-inl.h:242
#6  0x0000000001291bc2 in v8::internal::Heap::AllocateRawFixedArray (
    this=0x62b000000220, length=106679, pretenure=v8::internal::NOT_TENURED)
    at ../../src/heap/heap.cc:3963
#7  0x00000000012afbbe in v8::internal::Heap::AllocateUninitializedFixedArray (
    this=0x62b000000220, length=106679) at ../../src/heap/heap.cc:3999
#8  0x000000000116b1a7 in v8::internal::Factory::NewUninitializedFixedArray (
    this=0x62b000000200, size=106679) at ../../src/factory.cc:147
#9  0x000000000107ae54 in v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2> >::ConvertElementsWithCapacity (object=..., old_elements=..., 
    from_kind=v8::internal::FAST_ELEMENTS, capacity=106679, src_index=0, 
    dst_index=0, copy_size=-2) at ../../src/elements.cc:770
#10 0x000000000107aab5 in v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2> >::ConvertElementsWithCapacity (object=..., old_elements=..., 
    from_kind=v8::internal::FAST_ELEMENTS, capacity=106679)
    at ../../src/elements.cc:749
#11 0x000000000107a34a in v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2> >::BasicGrowCapacityAndConvertImpl (object=..., old_elements=..., 
    from_kind=v8::internal::FAST_ELEMENTS, 
    to_kind=v8::internal::FAST_ELEMENTS, capacity=106679)
    at ../../src/elements.cc:808
#12 0x0000000001079f36 in v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2
> >::GrowCapacityAndConvertImpl (object=..., capacity=106679)
    at ../../src/elements.cc:800
#13 0x0000000001075906 in v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::FastPackedObjectElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)2> >::GrowCapacityAndConvert (this=0x60200000ef30, object=..., capacity=106679)
    at ../../src/elements.cc:825
#14 0x00000000027b3e94 in v8::internal::__RT_impl_Runtime_GrowArrayElements (
    args=..., isolate=0x62b000000200) at ../../src/runtime/runtime-array.cc:441
#15 0x00000000027b342b in v8::internal::Runtime_GrowArrayElements (
    args_length=2, args_object=0x7fff3e01d180, isolate=0x62b000000200)
    at ../../src/runtime/runtime-array.cc:420
#16 0x00007f3f6b2085c6 in ?? ()
#17 0x00000000000115c4 in ?? ()
#18 0x0000000000000000 in ?? ()

 Issue 618604  has been merged into this issue.

fyi: This is also related to the series of LO uncommit changes and has already been reverted.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot