Is this s dupe of  issue 622664 ?

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4797416922677248

Fuzzer: decoder_langfuzz
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: Stack-use-after-return READ 8
Crash Address: 0x7feb75216850
Crash State:
  v8::internal::JSReceiver::OrdinaryToPrimitive
  v8::internal::JSReceiver::ToPrimitive
  v8::internal::Object::ToNumber
  
Regressed: V8: r37168:37191

Minimized Testcase (8.96 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95RUUzsrMrLOPH5NG8dfhOV47AKVrbJ3lTEht1AeweFf0wqDjloB5PSCcsfqHxPN0ejfMjcEH_mR1eTwuoB6VNdzlVHH0hZvLm7oZ9A827Vxr6WvwjZWGcC5hUSSJpNsjxCRDCkEz1DrtYi7jKg2E3AE-bMlw?testcase_id=4797416922677248

Filer: tanin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 37241:37255.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4797416922677248

Fuzzer: decoder_langfuzz
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: Stack-use-after-return READ 8
Crash Address: 0x7feb75216850
Crash State:
  v8::internal::JSReceiver::OrdinaryToPrimitive
  v8::internal::JSReceiver::ToPrimitive
  v8::internal::Object::ToNumber
  
Regressed: V8: r37168:37191
Fixed: V8: r37241:37255

Minimized Testcase (8.96 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95RUUzsrMrLOPH5NG8dfhOV47AKVrbJ3lTEht1AeweFf0wqDjloB5PSCcsfqHxPN0ejfMjcEH_mR1eTwuoB6VNdzlVHH0hZvLm7oZ9A827Vxr6WvwjZWGcC5hUSSJpNsjxCRDCkEz1DrtYi7jKg2E3AE-bMlw?testcase_id=4797416922677248

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 37253:37254.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5783510141108224

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: Stack-use-after-return READ 8
Crash Address: 0x7f2494ad1d10
Crash State:
  v8::internal::HandleBase::IsDereferenceAllowed
  v8::internal::JSReceiver::OrdinaryToPrimitive
  v8::internal::JSReceiver::ToPrimitive
  
Regressed: V8: r37179:37180
Fixed: V8: r37253:37254

Minimized Testcase (11.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96qPloQeqTxXq3Do4EYoX9xz_BEvdq_7jCgkjrqT-Hdx-OiFiVWNYtNmtJQcx8K4SZFEosA_XlGjhwAQR6XnuuyxCTerzXc588Q857zYHxTacVqUUsYeAvKkLz4fnjH3AAtZIbe87s8sUYFUApP3kgJa3BMWA?testcase_id=5783510141108224

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Adding Merge-Triage label for tracking purposes.

Once your fix had sufficient bake time (on canary, dev as appropriate), please nominate your fix for merge by adding the Merge-Request-XX label, where XX is the Chrome milestone.

When your merge is approved by the release manager, please start merging with higher milestone label first. Make sure to re-request merge for every milestone in the label list. You can get branch information on omahaproxy.appspot.com.

Your fix is very close to the branch point. After the branch happens, please make sure to check if your fix is in.

- Your friendly ClusterFuzz

According to https://bugs.chromium.org/p/chromium/issues/detail?id=622664 this bug was only on ToT. removing merge labels

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot