CF points to b2d1f27209dca47964200bccdad726d445447bb5.
The CL is already reverted, so feel free to close this bug as fixed if you don't need the repro.

Thanks, Igor!

ClusterFuzz has detected this issue as fixed in range 46814:46815.

Detailed report: https://clusterfuzz.com/testcase?key=5164028606545920

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  pending_layout_change_object_ == nullptr || pending_layout_change_object_ == obj
  v8::internal::Heap::NotifyObjectLayoutChange
  v8::internal::MigrateFastToFast
  
Sanitizer: address (ASAN)

Regressed: V8: 46812:46813
Fixed: V8: 46814:46815

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5164028606545920


See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5164028606545920 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot