might be a suspected Changelist:
https://chromium.googlesource.com/v8/v8/+/08b7bc9d65a185632bd586f0c822810041f8fb4d%5E%21/src/runtime/runtime-internal.cc


@ could you please look into this. feel free to re assign back thanks in advance

Reproduces with tip-of-tree on ia32 as follows ...

$ git checkout 613e29b18df0b8230e66f3c6392e13541d111248
$ make -j1000 ia32.debug
$ ./out/ia32.debug/d8 --random-seed=1581654216 --expose-gc --allow-natives-syntax ~/Downloads/fuzz-00151.js

Caused by FastCloneShallowArrayStub trying to allocate a large array in new-space.

 Issue 643596  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5039217220780032

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r38915:38916

Minimized Testcase (8.32 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94M6vEzSbMcOufMKU9-fDIOy8Mp-TFc_ckFXo6u79QHC7r2NVgjjz20Z4YGasIya0iApeuzEUg4Qo3V8vt9sD1bGvr-tvw-6yqBwTVXZUvrM3mbdx9NpZUJi9VwrTKrsNE_gExeTv1eCHrfmEu4jfy52RpXKw?testcase_id=5039217220780032

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

I can't reproduce fuzz-00151.js (the original report) on 279bc5096badf7a9f4134d433d8fd70d6d4a6f9c (from this morning) on ia32/x64 with Michi's command line and the other case doesn't reproduce on those archs either.

I can reproduce the other bug on a local mips build. Taking a look on my TF stub.

It seems like all usage of the FastCloneShallowArrayStub should be and are guarded by a check against JSArray::kInitialMaxFastElementArray (https://cs.chromium.org/chromium/src/v8/src/objects.h?sq=package:chromium&dr=C&l=10612 ). Could there be something wrong with that calculation for mips?

Investigating...

From my testing fuzz-00151.js is fixed at head and 643596 is actually a different issue.
I'm bisecting to find out what fixed this one.

This was fixed by 3b8ad45e0f3006dd4351d96b95427453df2bf619 which reduced JSArray::kInitialMaxFastElementArray and Page::kMaxRegularHeapObjectSize which appear in the checks I mentioned above.

I can still reproduce this with the report referenced in comment #6 on tip of tree as follows. Please don't close this issue yet.

$ python ~/Development/sources/clusterfuzz-data/fuzzers/langfuzz_cf/launcher.py ~/Development/v8.git/out/mipsel.debug/d8 --random-seed=378167002 fuzz-langfuzz-cfdependency-266.tgz.txt

Yes, that one I can also still reproduce. I wrote on the merged issue for the clusterfuzz report in #6 https://bugs.chromium.org/p/chromium/issues/detail?id=643596 that that one doesn't seem to arise from FastCloneShallowArrayStub, but FastArrayPush. Haven't had time yet to look at it in more detail.
The original report here however seems fixed.

ClusterFuzz has detected this issue as fixed in range 39406:39407.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5039217220780032

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r38915:38916
Fixed: V8: r39406:39407

Minimized Testcase (8.32 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94M6vEzSbMcOufMKU9-fDIOy8Mp-TFc_ckFXo6u79QHC7r2NVgjjz20Z4YGasIya0iApeuzEUg4Qo3V8vt9sD1bGvr-tvw-6yqBwTVXZUvrM3mbdx9NpZUJi9VwrTKrsNE_gExeTv1eCHrfmEu4jfy52RpXKw?testcase_id=5039217220780032

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6562418631376896

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r39105:39106

Minimized Testcase (5.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94uE63bsP7dP2BgZtdICIcwcXRDEgkJnE5WkId517bHsUJpPjL-0PiLC3upzhg2sejhkMKMcsJ1t2r2mkf_4kTHKjxRQiG-N8TgjjsA8b_JA6AXhrxuhz2u42V9tSxZEaaJvWmCuJwA6jUQ2TvyjCtzhkf8eg?testcase_id=6562418631376896

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 39921:39922.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6562418631376896

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r39105:39106
Fixed: V8: r39921:39922

Minimized Testcase (5.60 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94uE63bsP7dP2BgZtdICIcwcXRDEgkJnE5WkId517bHsUJpPjL-0PiLC3upzhg2sejhkMKMcsJ1t2r2mkf_4kTHKjxRQiG-N8TgjjsA8b_JA6AXhrxuhz2u42V9tSxZEaaJvWmCuJwA6jUQ2TvyjCtzhkf8eg?testcase_id=6562418631376896

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz testcase 5945638380634112 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.