This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Bisection points to 4851745fe37735d1be2845bcc6204166e4c9d678. PTAL

ClusterFuzz has detected this issue as fixed in range 488220:488243.

Detailed report: https://clusterfuzz.com/testcase?key=6590702657208320

Fuzzer: inferno_js_fuzzer
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: UNKNOWN READ
Crash Address: 0xcccccccc
Crash State:
  v8::internal::Heap::MergeAllocationSitePretenuringFeedback
  v8::internal::MarkCompactCollectorBase::CreateAndExecuteEvacuationTasks<class v8
  v8::internal::MarkCompactCollector::EvacuatePagesInParallel
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=487835:487848
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8&range=488220:488243

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6590702657208320


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Users experienced this crash on the following builds:

Win Canary 61.0.3162.0 -  14.83 CPM, 201 reports, 191 clients (signature v8::internal::Heap::MergeAllocationSitePretenuringFeedback)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This crash has high impact on Chrome's stability.
Signature: v8::internal::Heap::MergeAllocationSitePretenuringFeedback.
Channel: canary. Platform: win.
Labeling  issue 746835  with ReleaseBlock-Dev.


If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

ClusterFuzz testcase 6590702657208320 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Users experienced this crash on the following builds:

Win Canary 61.0.3162.0 -  0.30 CPM, 4 reports, 4 clients (signature v8::internal::Heap::ProcessPretenuringFeedback)
Mac Canary 61.0.3162.0 -  0.89 CPM, 3 reports, 3 clients (signature v8::internal::Heap::ProcessPretenuringFeedback)

If this update was incorrect, please add "Fracas-Wrong" label to prevent future updates.

- Go/Fracas

This has been reported as M61 Dev blocker. Please make sure fix is ready and merged to M61 branch by 4:00 PM PT, Tuesday (07/25). Thank you.

+ awhalley@ & hablich@ to confirm this is indeed M61 dev blocker.

As per issue 746935 this has been fixed by reverting the offending CL.

A short recap:

- This is not on the M61 branch because it was branched before the offending CL landed
- This is not on current master/M62 because it is already reverted on master and rolled successfully into Chrome.

Seeing this on Android in 61.0.3162.3, 50 reports:

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Android%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3AHeap%3A%3AMergeAllocationSitePretenuringFeedback%27&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D#-property-selector,samplereports:5,productversion:1000

Adding Android and RBS label back.

It is not in 61, see my comment in #14.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot