providing findit results for internal purpose:

Suspected CLs	Findit failed to find any stack trace. Is it in a new format?

seeing some changes to heap.c in 
https://chromium.googlesource.com/v8/v8/+/b83dbf65028431030b56e1095f94d766e1d0febc

mythria@, Could you please take a look at the issue and assign it to concerned developer if your changes are not responsible?

The Heap::CopyJSObject fails when it tries to copy an object whose map->instance_type() is JS_VALUE_TYPE. Unlikely that my changes could have caused this problem. cc'ing jochen who might know the code better.  

Object::Clone doesn't work for arbitrary objects - PDFium should make sure to not attempt to copy arbitrary things, but just things it knows are safe to copy

Would it be too much to ask to have a IsSafeToClone() method in v8::Object given the above constraint so that PDFium doesn't have to guess about v8's restrictions?

How would you use such an API? Would you have some other way to copy as a fallback? Could we just use that fallback always?

I'm assuming its a weird corner case, so I'd just throw an error.

Actually, it's more like a weird corner case when this API actually works, and this check is supposed to just protect against the most obvious bugs.

I'm trying to remove the API from v8 but we still need it for performance reasons in blink :(

https://bugs.chromium.org/p/chromium/issues/detail?id=454595 supposedly fixed this back when this was initially reported.

the fix to  bug 454595  just avoided one path that hit this.  This looks to be a different path.

Ok, so I'm left wondering why we're cloning it at all instead of just creating another handle.  Can you give me info on why one would want to do this in the first place?

I guess because of wrong assumptions of what the API does? :)

It's a shallow copy which we added for Blink so it would cache the result of creating new DOM wrappers from FunctionTemplates, and then just clone them out of a boilerplate cache.

Meanwhile, v8 also has such a cache internally, but it's a bit slower than blinks, so we can't yet delete blink's cache.

Shallow copy means that you get a new object, but it shares the prototype and everything else with the cloned object.

https://pdfium.googlesource.com/pdfium/+/88b6686f6e56a01dab0172f4b3129ab7ae0cd8d8

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/58c13a6e2a92373ba89007442e8439905e1987e4

commit 58c13a6e2a92373ba89007442e8439905e1987e4
Author: thestig <thestig@chromium.org>
Date: Tue Jul 19 01:51:26 2016

Roll PDFium dbc7716..fdb35ff

https://pdfium.googlesource.com/pdfium.git/+log/dbc7716..fdb35ff

BUG=409472, 628106 
TBR=ochang@chromium.org

Review-Url: https://codereview.chromium.org/2162723002
Cr-Commit-Position: refs/heads/master@{#406171}

[modify] https://crrev.com/58c13a6e2a92373ba89007442e8439905e1987e4/DEPS

ClusterFuzz has detected this issue as fixed in range 406033:406232.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6649885789257728

Fuzzer: ifratric_pdf_generic
Job Type: linux_asan_pdfium
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  map->instance_type() == JS_REGEXP_TYPE || map->instance_type() == JS_OBJECT_TYPE
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=300095:300119
Fixed: https://cluster-fuzz.appspot.com/revisions?job=linux_asan_pdfium&range=406033:406232

Minimized Testcase (502.35 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94XMBshb7Tfaj6-kPtE-IPaK4uZmni6fBNTRyPw7_-CuA29CUz8wMV9Uel_xoLKWV9aFmJPEhaivvWeA4B5wQNuqZsFFHEyWQGTZpEsCOwjvhGv9KeJle1dwR0HHvv0DLvB6LuWyFHPwURitrRYhhkI1xBKt7-AaMy2JZgINIPtYvw6tBk?testcase_id=6649885789257728

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot