Crashes Chrome Canary 59.0.3043.0 and 57.0.2987.0 on OS X.

https://crash.corp.google.com/browse?q=reportid=%27d1d5bf1480000000%27

Deleted: crashme.html 190 bytes

crashme.html 190 bytes View Download

<script>
arr = [];
for (let i = 0; i < 49079; i++) arr[i] = [];
unk = {valueOf: function() { arr.length = 0; }};
arr.indexOf({}, unk);
</script>

Interestingly, the repro seems to be sensitive to the upper-bound value of the loop, and it crashes with a slightly lower top-bound on Canary than on Stable. 

Users experienced this crash on the following builds:

Mac Dev 58.0.3029.19 -  0.63 CPM, 3 reports, 3 clients (signature v8::internal::`anonymous namespace'::Invoke)
Linux Beta 57.0.2987.98 -  1.16 CPM, 30 reports, 22 clients (signature v8::internal::`anonymous namespace'::Invoke)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This appears to be a pure JavaScript problem, no DOM involvement.

Heh. Isn't this just  Issue 702058 ?

Users experienced this crash on the following builds:

Mac Canary 59.0.3043.0 -  0.82 CPM, 4 reports, 4 clients (signature v8::internal::`anonymous namespace'::Invoke)
Linux Beta 57.0.2987.98 -  1.15 CPM, 31 reports, 22 clients (signature v8::internal::`anonymous namespace'::Invoke)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

I concur.  

ClusterFuzz has detected this issue as fixed in range 456626:457732.

Detailed report: https://clusterfuzz.com/testcase?key=6192679416496128

Fuzzer: mbarbella_js_mutation
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: UNKNOWN
Crash Address: 0x14cf2b3e3000
Crash State:
  NULL
Sanitizer: undefined (UBSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=416628:416781
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=456626:457732

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94FsMXRIiDRC7E_cCx7TgHjPHxttbs60qSqY6dmjvigt2sCQo5rgHottFBWCj1ayXl4oiJCe1fPOu92vtVrEe6n45rhVfrbhlJApP5BuIC9twbfVdI8GQuB5Z896S2Le0-HHj2Oq6k9zK_EpPaoo2mkkO_gszzp_LZY0iyC14T6p_itu8GcID26tcJgVq0_qlfZlE_5kCd2cUZeWZPDojzU8vJSYeECuhscY-W6_qF5qQ9JRassZH_FdZ5rLs4x-V6Ca7rrUzajUbJH2-7NHwA9B9mQM8VWCOmp0zqduj_Cv5zmXuVu_jniFbV9h-3El6KeHvJLUp4TmiNnaNJ_Xp6PRxU2qSCA6ye9ELib1cOsBeVFeZJBqQ4stQm12IL_ucViFp1tfiz-NXSheTWm84Mt6N6bWQ?testcase_id=6192679416496128


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot