Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6204317413670912

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: Stack-use-after-return READ 4
Crash Address: 0xd4c86e78
Crash State:
  v8::internal::HandleBase::IsDereferenceAllowed
  v8::internal::ArrayConcatVisitor::visit
  v8::internal::IterateElementsSlow
  
Regressed: V8: r37179:37180

Minimized Testcase (7.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97hiFYngfI8zG6Wn7HHcZVMSNzl-cQtxVcExSj29m327ylmQKgTX6VqLajfjtEYrFCHL4rPDMBaHtYXhLRIAfd4cVaAYbhF1kLKUMXpN5da12HM0fOBTH3X4c9IfJ3tHmz_VIQ3Ck8RieWK-JyFXjm9aOir5g?testcase_id=6204317413670912

Filer: rossberg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6294138870038528

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: Stack-use-after-return READ 4
Crash Address: 0xf5e53a78
Crash State:
  v8::internal::HandleBase::IsDereferenceAllowed
  v8::internal::JSReceiver::OrdinaryToPrimitive
  v8::internal::JSReceiver::ToPrimitive
  
Regressed: V8: r37179:37180

Minimized Testcase (8.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ZrXX41XrzUphfgZRXoajFs3AP4XjQcgagdE3_dH9ZefxLR1VANbvfBgTKjegATvQN4PUMFKdr7Hytj4GLEHji3C0qZvoRu6xSvcZ847zK94qpXwrv8IOQf6SVjACm2y9MaZ2m0fOHQgK3nIndgTyc1pdp3w?testcase_id=6294138870038528

Additional requirements: Requires Gestures

Filer: rossberg

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Tentatively assigning impact on tip of tree.

The older reward-topanel  issue 622348  has been merged into this one. Please manually review this issue to see if the duplicate is potentially eligible for a reward.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 37253:37254.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6008956061483008

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: Stack-use-after-return READ 8
Crash Address: 0x7f6eaf8b5110
Crash State:
  v8::internal::HandleBase::IsDereferenceAllowed
  v8::internal::Builtin_Impl_ArrayPop
  v8::internal::Builtin_ArrayPop
  
Regressed: V8: r37179:37180
Fixed: V8: r37253:37254

Minimized Testcase (9.09 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95yvMxZAaH3w2lwOgIRc8dPYadetH3pAVfnCpBW4uxa_RTf7_1eDcUF5YZWEBDMWcgHGb8z2vDEmQTUQm9J8sp1C1UJCwQS0TrshCVAr16mUTyhnyyxcAmJAX6LwVUOTcoy55r5tHIcgA8SYJCB309wGbNcUA?testcase_id=6008956061483008

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 37253:37254.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6294138870038528

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: Stack-use-after-return READ 4
Crash Address: 0xf5e53a78
Crash State:
  v8::internal::HandleBase::IsDereferenceAllowed
  v8::internal::JSReceiver::OrdinaryToPrimitive
  v8::internal::JSReceiver::ToPrimitive
  
Regressed: V8: r37179:37180
Fixed: V8: r37253:37254

Minimized Testcase (8.50 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ZrXX41XrzUphfgZRXoajFs3AP4XjQcgagdE3_dH9ZefxLR1VANbvfBgTKjegATvQN4PUMFKdr7Hytj4GLEHji3C0qZvoRu6xSvcZ847zK94qpXwrv8IOQf6SVjACm2y9MaZ2m0fOHQgK3nIndgTyc1pdp3w?testcase_id=6294138870038528

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 37253:37254.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6204317413670912

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: Stack-use-after-return READ 4
Crash Address: 0xd4c86e78
Crash State:
  v8::internal::HandleBase::IsDereferenceAllowed
  v8::internal::ArrayConcatVisitor::visit
  v8::internal::IterateElementsSlow
  
Regressed: V8: r37179:37180
Fixed: V8: r37253:37254

Minimized Testcase (7.06 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97hiFYngfI8zG6Wn7HHcZVMSNzl-cQtxVcExSj29m327ylmQKgTX6VqLajfjtEYrFCHL4rPDMBaHtYXhLRIAfd4cVaAYbhF1kLKUMXpN5da12HM0fOBTH3X4c9IfJ3tHmz_VIQ3Ck8RieWK-JyFXjm9aOir5g?testcase_id=6204317413670912

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The older reward-topanel  issue 622659  has been merged into this one. Please manually review this issue to see if the duplicate is potentially eligible for a reward.

The older reward-topanel  issue 622346  has been merged into this one. Please manually review this issue to see if the duplicate is potentially eligible for a reward.

Is this also affecting M52?

This doesn't affect anything. It was a bug in ToT for 3 days or so.

Removing ReleaseBlock-Beta per #19

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Nice one - $3,500 for this.