Bisects to c8a0dce96c989ea56632613215aa172352cbf9ec.

Smaller repro: out/x64.debug/d8 --predictable --enable-slow-asserts test.js

==== test.js ====

Error.prepareStackTrace = function(exception, frames) {
  return frames[0].getEvalOrigin();
}
NaN(0, DataView(__defineGetter__));

Minimized test case:

---

Error.prepareStackTrace = function(exception, frames) {
  return frames[0].getEvalOrigin();
}
DataView();

---

The DataView constructor throws because it needs to be called with 'new'. It's implemented as a CPP builtin, so it doesn't have a script, which in turn triggers the crash.

 Issue 631909  has been merged into this issue.

Fixed in https://codereview.chromium.org/2184193004/.

ClusterFuzz has detected this issue as fixed in range 38132:38133.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5178729206906880

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsScript()) in objects-inl.h
  
Regressed: V8: r37974:37975
Fixed: V8: r38132:38133

Minimized Testcase (7.20 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97aTFxjr7o1w-Gx7EXutCnoRG34aJzN75Yxq_j2vf4ewr7vUdIUUMalUZ0FU4tbbo3JESBdsynb3bwAPs2iR4HBVFqrXJ5XetynDW-oNRzGRjo6LnQNtuI6FZa7JdvUjK010dazv3zUhHLbHDb4wBGzSuUvog?testcase_id=5178729206906880

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot