This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This is a problem with tail calls.

Friendly ping, this is currently a Beta-blocker and needs to get fixed and merged as soon as feasible, as M54 is going to beta this Thursday 9/8

Moving to ReleaseBlock-Stable to keep track of this for M54

ClusterFuzz has detected this issue as fixed in range 39580:39599.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5587318973136896

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000bfff7fff
Crash State:
  v8::internal::Runtime_ThrowCalledNonCallable
  v8::internal::Invoke
  v8::internal::Execution::Call
  
Regressed: V8: r37752:37779
Fixed: V8: r39580:39599

Minimized Testcase (0.71 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95XFLHFQyJ3dr0KG2Ce7HY7XKDmGQ22TWMZmtaXvDwBWiME4O1U2xynjstbCkP9cY4XQtWQzNFIC8GdGDgj3EuuCLczUyOKbUwOzxs_5-5uERnS_rWu_5E9OnyyuwKwPDBP7vfUbv9vBSdGb811gK3wvvHPAw?testcase_id=5587318973136896

Additional requirements: Requires Gestures

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Oh, I just realized that I fixed this as part of  issue 648539  without realizing that this security issue exists. I don't know the history of this issue, but feel free to merge it into  issue 648539  if there is nothing else actionable here besides the fix.

Awesome! Thanks!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot