The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e6076a79516339fd4b6780ec45804097c70c8ea0

commit e6076a79516339fd4b6780ec45804097c70c8ea0
Author: ishell <ishell@chromium.org>
Date: Tue Jun 28 12:40:15 2016

Use proper write barrier mode when creating rest parameters.

BUG= chromium:623912 

Review-Url: https://codereview.chromium.org/2109603002
Cr-Commit-Position: refs/heads/master@{#37326}

[modify] https://crrev.com/e6076a79516339fd4b6780ec45804097c70c8ea0/src/runtime/runtime-scopes.cc

ClusterFuzz has detected this issue as fixed in range 37322:37323.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5191427692953600

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  ho->GetHeap()->Contains(ho) in objects-debug.cc
  
Fixed: V8: r37322:37323

Minimized Testcase (3.33 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95jJXXjImgPbrknCPCz4rrl6vkJL_cqdSd3qpY1z6aQXvHFIOeZAEzEtJhh-zg8nLYx6YWjm-HxLUvFv3GzGdIX3E2J12xKwsvAYFYk3YyqNjF7KLPoC3eEMa-YyWPdJqP-k2BD2059JKGnt4oZL8NVEQC3aw?testcase_id=5191427692953600

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e0b7d9bd7257d7894a74ceb062e90eea0a8d2eb3

commit e0b7d9bd7257d7894a74ceb062e90eea0a8d2eb3
Author: ishell@chromium.org <ishell@chromium.org>
Date: Thu Jun 30 10:40:38 2016

Version 5.2.361.31 (cherry-pick)

Merged e6076a79516339fd4b6780ec45804097c70c8ea0

Use proper write barrier mode when creating rest parameters.

BUG= chromium:623912 
LOG=N
R=mlippautz@chromium.org

Review URL: https://codereview.chromium.org/2111123002 .

Cr-Commit-Position: refs/branch-heads/5.2@{#37}
Cr-Branched-From: 2cd36d6d0439ddfbe84cd90e112dced85084ec95-refs/heads/5.2.361@{#1}
Cr-Branched-From: 3fef34e02388e07d46067c516320f1ff12304c8e-refs/heads/master@{#36332}

[modify] https://crrev.com/e0b7d9bd7257d7894a74ceb062e90eea0a8d2eb3/include/v8-version.h
[modify] https://crrev.com/e0b7d9bd7257d7894a74ceb062e90eea0a8d2eb3/src/runtime/runtime-scopes.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4bbfab8f7d604e4a7bbd53a1c5c96b92c8310c96

commit 4bbfab8f7d604e4a7bbd53a1c5c96b92c8310c96
Author: ishell@chromium.org <ishell@chromium.org>
Date: Thu Jun 30 10:57:28 2016

Version 5.1.281.71 (cherry-pick)

Merged e6076a79516339fd4b6780ec45804097c70c8ea0

Use proper write barrier mode when creating rest parameters.

BUG= chromium:623912 
LOG=N
R=mlippautz@chromium.org

Review URL: https://codereview.chromium.org/2116453002 .

Cr-Commit-Position: refs/branch-heads/5.1@{#83}
Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1}
Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282}

[modify] https://crrev.com/4bbfab8f7d604e4a7bbd53a1c5c96b92c8310c96/include/v8-version.h
[modify] https://crrev.com/4bbfab8f7d604e4a7bbd53a1c5c96b92c8310c96/src/runtime/runtime-scopes.cc

May also need to be floated on Node.js 6.x (for V8 5.0), but let us wait for closure on https://github.com/nodejs/node/pull/8054.

Node 6 has upgraded to V8 5.1, so a backport/float for 5.0 is no longer needed.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot