This seems to get filed every few weeks, then auto-closed by Clusterfuzz. The most recent useful comment I could find was in https://bugs.chromium.org/p/chromium/issues/detail?id=740314#c6

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 47810:47811.

Detailed report: https://clusterfuzz.com/testcase?key=6574969751601152

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  actual_unused_property_fields > map()->unused_property_fields() in objects-debug
  v8::internal::JSObject::JSObjectVerify
  v8::internal::Object::ObjectVerify
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47798:47799
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47810:47811

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6574969751601152

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Does not reproduce any more, but the fixed range is totally unrelated.
Merging into 740314, let's see how many more reports we get for this.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot