ishell@ and mstarzinger@, could you please help to triage this?

Same as  issue 621431  but here it is the StackTraceFrameIterator::IsValidFrame() who queries a JSFunction from a BUILTIN frame.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6bd37e3f20651cc4ff780e09518ae2a408b509dc

commit 6bd37e3f20651cc4ff780e09518ae2a408b509dc
Author: jgruber <jgruber@chromium.org>
Date: Wed Jun 22 09:18:29 2016

[builtins] Fix clobbered reg in Math.{Max,Min}

edi is expected to contain the JS function. Ensure that it is not
overwritten.

BUG= chromium:621431 , chromium:621550 , chromium:621217 
R=bmeurer@chromium.org

Review-Url: https://codereview.chromium.org/2085043004
Cr-Commit-Position: refs/heads/master@{#37173}

[modify] https://crrev.com/6bd37e3f20651cc4ff780e09518ae2a408b509dc/src/ia32/builtins-ia32.cc

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6149710461272064

Fuzzer: v8_builtins_generator
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0xffffffff
Crash State:
  v8::internal::StackTraceFrameIterator::Advance
  v8::internal::StackTraceFrameIterator::StackTraceFrameIterator
  v8::internal::Isolate::ComputeLocation
  
Recommended Security Severity: Medium

Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=400574:400576

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97Mndjt2nJYmbAg1yL_G811H9H-kB-ylTOVVUX48KjA7gkchy8A_Uog3uAwm1g3dNnRopwC4eg8thKzxToRBTibq8cvVMjgNcUjImGiQUJiZjFi5352xU1VLGwT1bLx3P3NI8RdvS-hZ15zjz6M3z2j8MQDyQ?testcase_id=6149710461272064
 v7 = new URIError(); 
 v13 = new Int32Array(); 
URIError.prototype.__defineGetter__("name", function() { 
return v7;
})
 v75 = Math.min(v13, v13, v7); 


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Fix already in M53, removing ReleaseBlock-Beta.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot