This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hi Tobias,

Assigning this high-severity security bug to you, due to your sequence of recent CLs that touch escape-analysis.cc.

Please help find an appropriate owner if you determine it is not related to your changes.
Thanks!

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5898438836486144

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x629000109520
Crash State:
  v8::internal::compiler::Node::RemoveUse
  v8::internal::compiler::Node::ReplaceInput
  v8::internal::compiler::VirtualObject::MergeFields
  
Recommended Security Severity: High

Regressed: V8: r41921:41922

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97_3QEksFzg2Q0hdNJiMF0SCrVoqfGA7LUthpxDOsp0e27aK4xB9-7BzNYtmxotoWEDLd1YioSuqxUSAUthjkp3qeHiZyW9454-GwHBov2WNvmtu1IKqyEe7eQK1IPxPXDkYbHRAsiTC7OOCzzKOkuH0LOLXA?testcase_id=5898438836486144
function __f_3() {
  var __v_4 = new __f_6();
  var __v_9 = '';
  var __v_8;
  for (__v_8 = 0; __v_8 != 10; __v_8++) {
    __v_9 += __v_20[__v_19]();
  }
  __v_9 = '';
 835727630, function() { this[__v_9]; };
}
__f_3();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

I reverted the responsible patch. This re-introduces a divergence bug, but escape analysis is still staged behind --turbo anyway, so it should not affect releases.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e3ac5a31cb645974b02e1d7b238f6a9c35ab0f5b

commit e3ac5a31cb645974b02e1d7b238f6a9c35ab0f5b
Author: tebbi <tebbi@chromium.org>
Date: Tue Jan 03 11:12:05 2017

Revert of [turbofan] fix another divergence in escape analysis (patchset #1 id:1 of https://codereview.chromium.org/2599793002/ )

Reason for revert:
Caused memory corruption.

BUG= chromium:676767 

Original issue's description:
> [turbofan] fix another divergence in escape analysis
>
> This divergence bug is very similar to the one fixed in https://codereview.chromium.org/2522253002/, this time it is an oscillation between a cleared field and a new phi node. The page http://www.sears.com/clothing-shoes-jewelry-clothing-men-s-clothing-men-s-jeans/b-1325287370?Brand=LEE&filterList=Brand&sortOption=UNITS_HIGH_TO_LOW allows for a reliable reproduction.
>
> This fix makes sure that once a field that generated a phi gets cleared, it always stays cleared.
>
> BUG=chromium:670202
>
> R=bmeurer@chromium.org
>
> Review-Url: https://codereview.chromium.org/2599793002
> Cr-Commit-Position: refs/heads/master@{#41922}
> Committed: https://chromium.googlesource.com/v8/v8/+/8435cc852672c504d5899cc2765c5b895e658efe

TBR=bmeurer@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG=chromium:670202

Review-Url: https://codereview.chromium.org/2611623002
Cr-Commit-Position: refs/heads/master@{#42023}

[modify] https://crrev.com/e3ac5a31cb645974b02e1d7b238f6a9c35ab0f5b/src/compiler/escape-analysis.cc

ClusterFuzz has detected this issue as fixed in range 42022:42023.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5898438836486144

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison READ 8
Crash Address: 0x629000109520
Crash State:
  v8::internal::compiler::Node::RemoveUse
  v8::internal::compiler::Node::ReplaceInput
  v8::internal::compiler::VirtualObject::MergeFields
  
Recommended Security Severity: High

Regressed: V8: r41921:41922
Fixed: V8: r42022:42023

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97_3QEksFzg2Q0hdNJiMF0SCrVoqfGA7LUthpxDOsp0e27aK4xB9-7BzNYtmxotoWEDLd1YioSuqxUSAUthjkp3qeHiZyW9454-GwHBov2WNvmtu1IKqyEe7eQK1IPxPXDkYbHRAsiTC7OOCzzKOkuH0LOLXA?testcase_id=5898438836486144
function __f_3() {
  var __v_4 = new __f_6();
  var __v_9 = '';
  var __v_8;
  for (__v_8 = 0; __v_8 != 10; __v_8++) {
    __v_9 += __v_20[__v_19]();
  }
  __v_9 = '';
 835727630, function() { this[__v_9]; };
}
__f_3();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 42022:42023.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5128147055149056

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Use-after-poison WRITE 8
Crash Address: 0x625000074ac8
Crash State:
  v8::internal::compiler::Node::AppendUse
  v8::internal::compiler::VirtualObject::MergeFields
  v8::internal::compiler::VirtualObject::MergeFrom
  
Recommended Security Severity: High

Regressed: V8: r41921:41922
Fixed: V8: r42022:42023

Minimized Testcase (0.74 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94s1wtp8r3Qn8XWEGF8cdrxkEIV3awZtDJI5SS9m4Dlx_8_iw81M_c7CkCOWxaxwFEuVKyy6_ZhD1lyUFc40S46MlHRbiufPE8oHQ0KYdzeEBxVfRm_20X-FOYS3JcJYhWLjwKyin0Rh8SpAkvKL3YcxiaVIA?testcase_id=5128147055149056

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot