Regression range points to 067e9e295fa50a3d4a5eb77e6515f30df944069f, but the stack trace looks more like related to  issue 669517 , not sure.

 Issue 669646  has been merged into this issue.

 Issue 669767  has been merged into this issue.

Yeah pretty certain this is related to  issue 669517 , it's just blowing up a different way because the random garbage it's accessing on the stack is different. Not sure why the regression range points at the compilation cache CL though, that seems strange.

ClusterFuzz has detected this issue as fixed in range 41386:41387.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5946484236484608

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Map::instance_type
  IsHeapNumber
  IsHeapNumber
  
Regressed: V8: r41355:41356
Fixed: V8: r41386:41387

Minimized Testcase (5.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97pP5Tc3rU8lsKDxkoqdyw8C4CgYeiajg5eSlC_8tZgtdRkStKA2EnzS2osuqJJSPIpJ9RUDT2sL2-XF2Xl6-l7ITifza8a4rCw-YhOyKh1Swxf9Fc8iAw_hp-FwZXEMDkgi97FdPXWHOMg9nt6kjo-Tx6W2A?testcase_id=5946484236484608

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.