Automatically applying components based on information from OWNERS files. If this seems incorrect, please apply the Test-Predator-Wrong-Components label.

This seems to be caused by {JSCreateClosure} lowering. I'll take a look.

 Issue 770613  has been merged into this issue.

 Issue 770550  has been merged into this issue.

 Issue 769855  has been merged into this issue.

This is a bug in {TranslatedState::GetFrameFromJSFrameIndex} which used a different counting scheme for inlined frames. The same bug already existed for "Function.prototype.arguments" as well and the following is a repro for that ...

  function g() {
    g.arguments;
  }
  function f() {
    [0].forEach(g);
  }
  f();
  f();
  %OptimizeFunctionOnNextCall(f);
  f();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/631489bd3913c24b7d2a47496d6d9866ea453dbd

commit 631489bd3913c24b7d2a47496d6d9866ea453dbd
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Oct 02 14:14:30 2017

[deoptimizer] Fix TranslatedState inline frame indexing.

This makes sure that helper methods on the {TranslatedState} class stick
to the counting scheme used by {OptimizedFrame::Summarize} within the
stack-walker. Both now treat {kJavaScriptBuiltinContinuation} as real
JavaScript frames.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-770543
BUG= chromium:770543 

Change-Id: Icda65a7efb487470d39ebf648767a488ebf2e5f1
Reviewed-on: https://chromium-review.googlesource.com/695123
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48264}
[modify] https://crrev.com/631489bd3913c24b7d2a47496d6d9866ea453dbd/src/deoptimizer.cc
[add] https://crrev.com/631489bd3913c24b7d2a47496d6d9866ea453dbd/test/mjsunit/regress/regress-crbug-770543.js

ClusterFuzz has detected this issue as fixed in range 48263:48264.

Detailed report: https://clusterfuzz.com/testcase?key=6189134065696768

Fuzzer: inferno_js_fuzzer
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: Null-dereference READ
Crash Address: 0x000000000030
Crash State:
  v8::internal::TranslatedFrame::begin
  v8::internal::FrameFunctionIterator::MaterializeFunction
  v8::internal::FindCaller
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=48175:48176
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=48263:48264

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6189134065696768

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6044358116900864 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.