Automatic bisection pointed to 5b4626ad1994f1400be4099f85b6a2efd3515e3e but the test failed at that time because try/catch and array literals were not supported yet.

Reproduces on TOT.

Requires the --no-lazy flag to trigger, so it looks like it might be something related to eager parsing (this also means it shouldn't hit us in production since --no-lazy isn't a shipping configuration).

Might be related to  issue 622663 

ClusterFuzz has detected this issue as fixed in range 37334:37335.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5781335746805760

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  OperandsAreValid(bytecode, 1, operand0) in bytecode-array-builder.cc
  
Fixed: V8: r37334:37335

Minimized Testcase (0.04 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94PXDytlEsLXuexgtGopMRlBR-3BIMeGaYrODECD7JXc9OohxZlWUUl6QTAj1Jz6i0paN89LumHh0oZ83RCwODKVkedIGWGjouW5SqzeiQ-Ty49-P3UXUiph5RkrK7dJanyh9EqVZnUuZyPXXSF8l0ZPtVHAQ?testcase_id=5781335746805760
try {
(y = 1[ [...[]]]) => {};
} catch(e) {; }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot