This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Bisect looks plausible (0d06e42b690cfe80454c7f065c382f2b7200a40f). Michael, can you take a look please?

ClusterFuzz has detected this issue as fixed in range 45732:45733.

Detailed report: https://clusterfuzz.com/testcase?key=5347392747732992

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (!owned || FindObject(address)->IsHea
  v8::internal::LargeObjectSpace::Contains
  v8::internal::Heap::Contains
  
Sanitizer: address (ASAN)

Regressed: V8: 45646:45647
Fixed: V8: 45732:45733

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5347392747732992


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5347392747732992 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M61 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), ketakid@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+ awhalley@ (Security TPM) for M61 merge review.

Fix range is in 61, no need for merge.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot