Reproduces locally, and bisects to b458736986f157225494e8436258306202bb061d ([snapshot] Lazy-deserialize bytecode handlers).

The reproducer is surprisingly small and simple:
(new constructor)[1073741824] = null;

Looks unrelated to the bisected CL, it probably just changes timing that causes us to hit this case with --gc-interval=35. Double-checking now.

Yeah, repros without lazy handlers:

$ for i in {30..40}; do echo $i; out/debug/d8 --verify-heap --invoke-weak-callbacks --future --gc-interval=$i -e '(new constructor)[1073741824] = null;'; done

30
#
# Fatal error in ../../src/objects-debug.cc, line 423
# Check failed: !descriptors->GetKey(i)->IsInterestingSymbol().
#

Assigning back for further triage.

With --gc-interval=1 it bisects to 31800120ccb215cdd1b6b1bde7fd05ecf72ee16e ([builtins] Speed-up Object.prototype.toString.).
Before that, it does not reproduce with any interval between 1 and 50.

Assigning to Benedikt.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Hey Michi,

Can you please investigate this one? Or find an owner. Probably some oversight where the interesting symbol bit is not forwarded correctly. I'm OOO today and my workstation isn't working still, so I might not be able to fix it on friday either.

Thanks a lot!

Investigated together with Benedikt just now and cooking up a fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4ad9430c399ce4ebbbccb80090f984588d7069f9

commit 4ad9430c399ce4ebbbccb80090f984588d7069f9
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Nov 27 12:49:01 2017

[objects] Fix flag in {Map::AddMissingTransitions}.

This fixes the computation of the {may_have_interesting_symbols} flag
for the last map computed in {Map::AddMissingTransitions} method. The
last map is allocated ahead of time, but the flag is only correct once
the descriptors are actually installed in the end.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-786020
BUG= chromium:786020 

Change-Id: Iff97780609fe596437eb6bea85606a1c3bb2ac4c
Reviewed-on: https://chromium-review.googlesource.com/789839
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49631}
[modify] https://crrev.com/4ad9430c399ce4ebbbccb80090f984588d7069f9/src/objects.cc
[add] https://crrev.com/4ad9430c399ce4ebbbccb80090f984588d7069f9/test/mjsunit/regress/regress-crbug-786020.js

ClusterFuzz has detected this issue as fixed in range 49630:49631.

Detailed report: https://clusterfuzz.com/testcase?key=5415087937683456

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8_dbg
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !descriptors->GetKey(i)->IsInterestingSymbol() in objects-debug.cc
  v8::platform::PrintStackTrace
  v8::internal::Map::MapVerify
  
Sanitizer: address (ASAN)

Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=49630:49631

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5415087937683456

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5415087937683456 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot