Ross, could you help triage this security ticket, and find an appropriate owner?

Seems to be inside a V8 arm simulator stack (of which you are the owner):

    #4 0xf3a05918 in v8::internal::(anonymous namespace)::SloppyArgumentsElementsAccessor<v8::internal::(anonymous namespace)::SlowSloppyArgumentsElementsAccessor, v8::internal::(anonymous namespace)::DictionaryElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)8> >::GetEntryForIndexImpl(v8::internal::JSObject*, v8::internal::FixedArrayBase*, unsigned int, v8::internal::PropertyFilter) src/elements.cc:2976
    #5 0xf3a017df in IncludesValueImpl src/elements.cc:3068:11
    #6 0xf3a017df in v8::internal::(anonymous namespace)::ElementsAccessorBase<v8::internal::(anonymous namespace)::SlowSloppyArgumentsElementsAccessor, v8::internal::(anonymous namespace)::ElementsKindTraits<(v8::internal::ElementsKind)8> >::IncludesValue(v8::internal::Isolate*, v8::internal::Handle<v8::internal::JSObject>, v8::internal::Handle<v8::internal::Object>, unsigned int, unsigned int) src/elements.cc:1166
    #7 0xf4cde733 in v8::internal::__RT_impl_Runtime_ArrayIncludes_Slow(v8::internal::Arguments, v8::internal::Isolate*) src/runtime/runtime-array.cc:513:36
    #8 0xf4cdb4ca in v8::internal::Runtime_ArrayIncludes_Slow(int, v8::internal::Object**, v8::internal::Isolate*) src/runtime/runtime-array.cc:450:1
    #9 0xf5a52cba in v8::internal::Simulator::SoftwareInterrupt(v8::internal::Instruction*) src/arm/simulator-arm.cc:1863:26
    #10 0xf5a4a503 in DecodeType7 src/arm/simulator-arm.cc:3025:5
    #11 0xf5a4a503 in v8::internal::Simulator::InstructionDecode(v8::internal::Instruction*) src/arm/simulator-arm.cc:4119
    #12 0xf5a6a53d in v8::internal::Simulator::Execute() src/arm/simulator-arm.cc:4150:7


Thank you!

machenbach@ Looks like this regressed at r39416 "Switch ASAN builders to GN" https://codereview.chromium.org/2334003005. I'm not sure why this would cause issues though - any thoughts?

Also, it's failing in SloppyArgumentsElementsAccessor, not the simulator. Adding Toon and Camillo who touched this last.

Also adding ishell@ (current clusterfuzz sheriff) as FYI

Could be somehow related to https://codereview.chromium.org/2327103002

See https://groups.google.com/a/google.com/forum/?hl=en#!topic/v8-cf-sheriffs/hXnwfB12Oxg

I expected a few bugs found only in GN builds. The root causes are older and could maybe be traced down by locally building older revisions with GN (which is not possible very far though). Or by other kinds of expert debugging of course.

Passing the buck to CF sheriffs.

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2fd6d6093e746b561e8711897707ef7ce0e14467

commit 2fd6d6093e746b561e8711897707ef7ce0e14467
Author: cbruni <cbruni@chromium.org>
Date: Wed Sep 21 10:22:19 2016

[elements] Handlify raw parameter_map pointers for SloppyArgumentsAccessor

Handlify pointers in IncludesValueImpl and DirectCollectElementIndicesImpl.

BUG= chromium:648373 

Review-Url: https://codereview.chromium.org/2354773006
Cr-Commit-Position: refs/heads/master@{#39586}

[modify] https://crrev.com/2fd6d6093e746b561e8711897707ef7ce0e14467/src/elements.cc
[add] https://crrev.com/2fd6d6093e746b561e8711897707ef7ce0e14467/test/mjsunit/regress/regress-648373-sloppy-arguments-includesValues.js

ClusterFuzz has detected this issue as fixed in range 39585:39586.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6145192757559296

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0beefdb4
Crash State:
  v8::internal::SloppyArgumentsElementsAccessor<v8::internal::SlowSloppyArgumentsE
  v8::internal::ElementsAccessorBase<v8::internal::SlowSloppyArgumentsElementsAcce
  v8::internal::__RT_impl_Runtime_ArrayIncludes_Slow
  
Recommended Security Severity: Medium

Regressed: V8: r39415:39416
Fixed: V8: r39585:39586

Minimized Testcase (1.02 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95JN2Tuz13eDTKkgvxBD7NUzZBBV5ZimzoIk9k7ccvNloQVRnIRU0XbwaP1lPu3ico6qQDN3yuxN5Gsp48tD2S_3xdBTDBkjNyKafuq18yUESC0Kfk-yEejCwuuDaUtZMl44PPozBGFo3dERubMkwhCZa06bA?testcase_id=6145192757559296

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

 Issue 649268  has been merged into this issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot