danno could you take a look please? Thanks!

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4d70aa02fdcc2426222d06b333f6b13a4101e28f

commit 4d70aa02fdcc2426222d06b333f6b13a4101e28f
Author: Daniel Clifford <danno@chromium.org>
Date: Wed Nov 22 12:32:37 2017

Fix hole handling in fast arguments slice

Bug:  chromium:784080 
Change-Id: I38c539435d867f6abb80218457e5b5a982e34817
Reviewed-on: https://chromium-review.googlesource.com/785210
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Commit-Queue: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49571}
[modify] https://crrev.com/4d70aa02fdcc2426222d06b333f6b13a4101e28f/src/builtins/builtins-array-gen.cc
[add] https://crrev.com/4d70aa02fdcc2426222d06b333f6b13a4101e28f/test/mjsunit/regress/regress-784080.js

ClusterFuzz has detected this issue as fixed in range 49570:49571.

Detailed report: https://clusterfuzz.com/testcase?key=6497963143856128

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0xcbe17ed4
Crash State:
  v8::internal::Simulator::DecodeType3
  v8::internal::Simulator::InstructionDecode
  v8::internal::Simulator::CallInternal
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=48861:48862
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=49570:49571

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6497963143856128

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6497963143856128 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

*** Boilerplate reminders! ***
Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
*********************************

Hi decoder.oh@ - the VRP Panel decided to award $1000 for this, plus the $500 clusterfuzz bonus.  Thanks!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot