Small repro:

// run with d8 --validate-asm

function m() {
  "use asm";
  function f() {  }
  return { f : f };
}
var f = m().f;
f.__defineGetter__("name", function() { });
dummy = class extends Int32Array { }

Bisects to:

commit e5f5ac7d2bbab16d0f83edb6d030dfcd1a28e71f
Author: bradnelson <bradnelson@chromium.org>
Date:   Mon Aug 22 21:06:52 2016 -0700

    [wasm] asm.js - Remove Wasm.instantiateModuleFromAsm, use asm.js directly.
    
    Make use of %IsAsmWasmCode in place of Wasm.instantiateModuleFromAsm,
    in order to reduce the surface area of the Wasm object,
    and to focus on testing asm.js coming in via the parser.
    
    Ignore extra CONST_LEGACY assignment introduced by the parser
    when modules have the form:
    (function Foo(a, b, c) {..});
    This requires both a validator and AsmWasmBuilder change.
    
    Move stdlib use collection to import time,
    to reject modules that import a function, even if not used.
    
    BUG= https://bugs.chromium.org/p/v8/issues/detail?id=4203
    LOG=N
    R=jpp@chromium.org,titzer@chromium.org
    
    Review-Url: https://codereview.chromium.org/2264913002
    Cr-Commit-Position: refs/heads/master@{#38806}

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Per discussion moving this to ReleaseBlock-Stable since the relevant code isn't enabled by default for users.

bradnelson: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

bradnelson: Uh oh! This issue still open and hasn't been updated in the last 28 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Friendly ping, this a stable blocker for M54, please try to have a fix in by the first week of October so it can be fixed in time for the release.

I've repro-ed this.
It currently affects a feature behind a flag in M54, so it certainly doesn't need to block M54 going to stable.

I'm at a loss why it's happening, probably need to grab some time from munich folk to debug.

It doesn't seem to be related to Int32Array, as this fails the same way:

function m() {
  "use asm";
  function f() {  }
  return { f : f };
}
m().f.__defineGetter__("name", function() { });
dummy = class extends Error { }

Bumping priority back up.

Impact none if still behind a flag.

ClusterFuzz testcase 4974666232102912 is flaky and no longer reproduces, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot