This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Assigning to V8 CF Sheriff per rotation at go/v8.

It seems the problem is that v8::internal::FindCaller in src/accessors.cc:981 has a DisallowHeapAllocation scope, but can trigger OptimizedFrame::Summarize, which started materializing objects since https://chromium-review.googlesource.com/c/595745.

Minimized repro:

function foo(f){
  f.caller;
}
function bar(f) {
  new foo(f);
}
bar(function() {});
%OptimizeFunctionOnNextCall(bar);
bar(function() {});

Thanks! Taking a look now ...

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6dd1251e4eaffafe63260312fcf8b57798f08399

commit 6dd1251e4eaffafe63260312fcf8b57798f08399
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Tue Aug 22 15:00:03 2017

Handlify FrameFunctionIterator to allow for GCs.

R=tebbi@chromium.org
TEST=mjsunit/regress/regress-crbug-755044
BUG= chromium:755044 

Change-Id: I909eeeccaf4e4e9757a2f952c00f557ee6c495ee
Reviewed-on: https://chromium-review.googlesource.com/625878
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47510}
[modify] https://crrev.com/6dd1251e4eaffafe63260312fcf8b57798f08399/src/accessors.cc
[add] https://crrev.com/6dd1251e4eaffafe63260312fcf8b57798f08399/test/mjsunit/regress/regress-crbug-755044.js

Fixed. This issue might actually cause a stale pointer to be dereferenced in rare cases and hence cannot be considered completely benign in release builds of V8. But it will be very hard to control the address of this out-of-bounds read. Still leaving security labels in place. Only affects M62 branch, no merge required.

ClusterFuzz has detected this issue as fixed in range 47509:47510.

Detailed report: https://clusterfuzz.com/testcase?key=5144730831945728

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  AllowHeapAllocation::IsAllowed() in heap-inl.h
  v8::internal::Heap::AllocateRaw
  v8::internal::Heap::Allocate
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47213:47214
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47509:47510

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5144730831945728

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5144730831945728 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot