Hey Yang! Can I interest you in a source position assertion for eval code firing?

This is somewhat a flavor of this issue:
https://bugs.chromium.org/p/v8/issues/detail?id=5104

In both cases we expect the SFI to still reference the code that the code offset refers to, when we calculate the source position of eval origin. In case of this bug, the code is being flushed.

ClusterFuzz has detected this issue as fixed in range 37391:37392.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5388867373105152

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  position >= 0 in objects.cc
  
Regressed: V8: r36774:36775
Fixed: V8: r37391:37392

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96nXRBUKKW0pXoBIGdB3FS9D28HDjwV5Z_ET6zViwLmIBvRNg3n-FgZ-F5FVknY5zSTmhEP__oFw9_Z35zipSAxdzh0Ad2ONxHX2K-ytBiZ437MVVvtKdsMpIjxI9JsyLKoIEmbW4RfyCs2njeykGCuh3GSiQ?testcase_id=5388867373105152
var __v_0 = {};
function __f_11(expect) {
  var __f_7 = new Function( '"' + (__v_0++) + '";return __v_5(n)');
 __f_7();
}
  __f_11();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot