ClusterFuzz has detected this issue as fixed in range 37667:37668.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5538401638154240

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Regressed: V8: r37188:37189
Fixed: V8: r37667:37668

Minimized Testcase (0.31 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97KhE2th-hvJOBT30QuR9jjzxm4e1LFfCSpfDoYx_xCbdYy0vPFH4qThIl77gALCbWzn4nut520wJUgQBnkTJmJugauflzdL_C8JDEQH9WcbYg5opj7_NMZ5c2x0zJGA8lZaKYWxJidi7cxasVM9aaqUAnnMw?testcase_id=5538401638154240
"use strict";
var __v_3 = {};
for (var __v_2 = 0; __v_2 < 10*1000; __v_2++) {
  Object.prototype['generatedProperty'+__v_2] = true;
}
function __f_9(x) {
  var __v_14 = [];
  for (let __v_11 in x);
  return __v_14.sort();
}
 __f_9().length;
__v_3[-1] = 0;
 __f_9(__v_3).length;
 __f_9(__v_3).length;
 __f_9(__v_3).length;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot