This will be fixed with the asm.js validator as it involves invalid asm.js code. Hence most likely a WontFix in the AstGraphBuilder. I'll hold this for now.

 Issue 736663  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 46282:46284.

Detailed report: https://clusterfuzz.com/testcase?key=4994045553410048

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: c6e
  
Sanitizer: address (ASAN)

Regressed: V8: 45924:45925
Fixed: V8: 46282:46284

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4994045553410048


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Is this really fixed by comment 6? Or does that maybe fix a particular instance only?

ClusterFuzz testcase 4994045553410048 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Please verify this manually as it looks more like an accidental fix.

Re #9: Yes, this is just an "accidental fix", my guess is due to changes of property enumeration order. Status of this issue is unchanged since comment #3, this is a WontFix in the AstGraphBuilder and will be fixed by shipping the asm.js validator.

 Issue 739171  has been merged into this issue.

 Issue 740545  has been merged into this issue.

This is fixed as of 961a2c885d82502e7c90915883443435d27762d0.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.