PTAL

Might be a similar to  issue 635664 , which is stubs/builtins not respecting the LO space limit. This will eventually go away once they are converted to TF (which is already in progress).

Checked that we indeed call from FastCloneShallowArrayStub. Merging. *duck*

From my testing this doesn't appear to be the FastCloneShallowArrayStub, but FastArrayPush, somewhere in the FAST_HOLEY_DOUBLE_ELEMENTS case.

ClusterFuzz has detected this issue as fixed in range 39921:39922.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5945638380634112

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= Page::kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r38915:38916
Fixed: V8: r39921:39922

Minimized Testcase (0.06 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94vQaVNMi7_orah2o3E2Q6d5JEb0SGji1MMY4BJFkRnd1IXUWFHG9HH76Du_0dYvob_L8sn0ll2znG5yDoDuVkkLJeFno1OnpuGtrpOMu5btO_jTtXWukBq2751v8vt0uuXdV58IYiwU22ePfdRNC76OyJWxA?testcase_id=5945638380634112
__v_2 = [1.2];
__v_2.length = 65535;
__v_2.push('0' && 0 );


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot