Ignition vs OSR issue. Bisects to https://codereview.chromium.org/1903273004.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5959373264519168

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Regressed: V8: r35756:35757

Minimized Testcase (0.33 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96Dku7-WSWyQhDIylR72d2thEk4JzoCeXrAcZZLfctEpj5JmO5wE1NTKr2DMdrDvjTiUd-4CnMrEjDZe7votoCHQ6bH-wA07JaJb2YBg6UbB44gnD3yFo4PVPjRZLm2ET400r4T2mcDgYJyPNlYjZTL0V-ApA?testcase_id=5959373264519168
"use strict";
for (var __v_3 = 0; __v_3 < 10*1000; __v_3++) {
  Object.prototype['generatedProperty'+__v_3] = true;
}
try {
__v_6 = [
];
} catch(e) {; }
function __f_12() {
}
function __f_47(x) {
  var __v_52 = [];
  for (let __v_49 in x);
  return __v_52.sort();
}
 __f_47({}).length;
["x"], __f_47({x:1});
[], __f_47({});
[], __f_47({});


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6550361332776960

Fuzzer: afl_v8_wasm_code_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::internal::wasm::testing::CallFunction
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=415614:415641

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95eF6-p-AE4UEpHkqdxaXoKZl9DvE_pTpWX7K1Rnc6ZtFwnmg6MRjOYYPtiSuMElP0yvx5LVMt8Ph02pgwLZ3pDy8B7DXtMSnrCkiPDdEhY_kJjvSkyt0zyfxbvHkZI-zzr-XU-rA1J3aUj9uTTBQ2LUH5OeQ?testcase_id=6550361332776960
;!!!!;!
!!!!;!!!!!!!C!!!!!6!!� !!9 !;!!!!!!!!!!!!!!9!!!!!!9!sq


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

ClusterFuzz has detected this issue as fixed in range 415641:415741.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6550361332776960

Fuzzer: afl_v8_wasm_code_fuzzer
Job Type: afl_chrome_asan
Platform Id: linux

Crash Type: Floating-point-exception
Crash Address: 
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::internal::wasm::testing::CallFunction
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=415614:415641
Fixed: https://cluster-fuzz.appspot.com/revisions?job=afl_chrome_asan&range=415641:415741

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95eF6-p-AE4UEpHkqdxaXoKZl9DvE_pTpWX7K1Rnc6ZtFwnmg6MRjOYYPtiSuMElP0yvx5LVMt8Ph02pgwLZ3pDy8B7DXtMSnrCkiPDdEhY_kJjvSkyt0zyfxbvHkZI-zzr-XU-rA1J3aUj9uTTBQ2LUH5OeQ?testcase_id=6550361332776960
;!!!!;!
!!!!;!!!!!!!C!!!!!6!!� !!9 !;!!!!!!!!!!!!!!9!!!!!!9!sq


See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Re comment #3, #4, #5: Not sure why the WASM crash was reported as part of this issue. Clearly two different underlying problems. Should this surface again on ClusterFuzz, then please file a new issue, a stack trace starting with "v8::internal::Invoke" just indicates a crash in generated code. That is very likely not related to this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot