Issue 740317  has been merged into this issue.

This is caused by constructing a function name exceeding string length boundaries when prepending the "get" prefix for getters. This causes a RangeError that is not correctly propagated. The regression range is bogus, the bug seems to be present since the beginning, AFAICT it is already present in 21c045a2fafd171272c53b17a5d495f5be100662. Here is a simplified repro ...

function f() {
  var o = { get[g()]() {} };
  return o;
} 
function g() {
  var str = "";
  for (var i = 0; i < 24; i++) {
    str += "abcdefgh12345678" + str;
  }
  return str; 
}
f();

Adam, would you be willing to take a look? Feel free to throw back if you are not the right owner for this.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Are there any security implications from this ?

Re #7: The "CHECK" in question is a release-check and will also fire in release builds of V8. Also, if the check would not fire, then this should only lead to a safe nullptr-deref. So I don't think there are any security implications from this.

Thanks, removing tags.

Will look into this today.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/873d51673a20809960f9959b3c57942a506a595e

commit 873d51673a20809960f9959b3c57942a506a595e
Author: Adam Klein <adamk@chromium.org>
Date: Wed Jul 12 18:32:39 2017

Propagate exceptions from JSFunction::SetName as needed

JSFunction::SetName can fail if it tries to create a string with
length > String::kMaxLength (either by prepending "set "/"get " or
by surrounding a Symbol descriptor with "["/"]").

This patch propagates that exception to the surrounding code rather
than CHECK-failing.

Bug:  chromium:740398 
Change-Id: I394943af481f3147387dd82ec5862d7071d57827
Reviewed-on: https://chromium-review.googlesource.com/566092
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Mircea Trofin <mtrofin@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46601}
[modify] https://crrev.com/873d51673a20809960f9959b3c57942a506a595e/src/compiler/linkage.cc
[modify] https://crrev.com/873d51673a20809960f9959b3c57942a506a595e/src/objects.cc
[modify] https://crrev.com/873d51673a20809960f9959b3c57942a506a595e/src/objects.h
[modify] https://crrev.com/873d51673a20809960f9959b3c57942a506a595e/src/runtime/runtime-object.cc
[modify] https://crrev.com/873d51673a20809960f9959b3c57942a506a595e/src/wasm/wasm-js.cc
[add] https://crrev.com/873d51673a20809960f9959b3c57942a506a595e/test/mjsunit/regress/regress-crbug-740398.js

ClusterFuzz has detected this issue as fixed in range 46600:46601.

Detailed report: https://clusterfuzz.com/testcase?key=4683283689635840

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (location_) != nullptr in handles.h
  Check
  ToHandleChecked
  
Sanitizer: address (ASAN)

Regressed: V8: 44166:44167
Fixed: V8: 46600:46601

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4683283689635840


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.