Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/cc9e77abe8497578a967259f643dcfb12e134fdb (Reland^2 "[runtime] Slightly optimize creation of class literals.").

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ishell: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+more folks. I'm hitting a similar failure in my local build while trying to work on another bug:

# Fatal error in ../../v8/src/objects.cc, line 9622
# Debug check failed: descriptors->GetValue(descriptor) != value || value->FitsRepresentation(details.representation()).
#
#0 0x7ff1e6bb57bd base::debug::StackTrace::StackTrace()
#1 0x7ff1e6bb3bfc base::debug::StackTrace::StackTrace()
#2 0x7ff1d7b11927 gin::(anonymous namespace)::PrintStackTrace()
#3 0x7ff1c873cc6c V8_Fatal()
#4 0x7ff1c873ca45 v8::base::(anonymous namespace)::DefaultDcheckHandler()
#5 0x7ff1d7630368 v8::internal::(anonymous namespace)::UpdateDescriptorForValue()
#6 0x7ff1d762ffff v8::internal::Map::PrepareForDataProperty()
#7 0x7ff1d75a6290 v8::internal::LookupIterator::PrepareForDataProperty()
#8 0x7ff1d74f26ce v8::internal::StoreIC::LookupForWrite()

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/21a6239113a394a9ce9d0f9d510102c565003f4a

commit 21a6239113a394a9ce9d0f9d510102c565003f4a
Author: Igor Sheludko <ishell@chromium.org>
Date: Tue Dec 19 15:22:50 2017

[classes] Set proper representation during fast class boilerplate instantiation.

Bug:  chromium:791368 
Change-Id: I86d9df38698d9c8b6109d0a11579fa28810ba1dc
Reviewed-on: https://chromium-review.googlesource.com/833908
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50206}
[modify] https://crrev.com/21a6239113a394a9ce9d0f9d510102c565003f4a/src/runtime/runtime-classes.cc

ClusterFuzz has detected this issue as fixed in range 50205:50206.

Detailed report: https://clusterfuzz.com/testcase?key=6406311964311552

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  descriptors->GetValue(descriptor) != value || value->FitsRepresentation(details.
  CanHoldValue
  v8::internal::UpdateDescriptorForValue
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49456:49457
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50205:50206

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6406311964311552

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6406311964311552 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M64 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

abdulsyed@ - good for 64

approving for merge to M64. Branch:3282

+adamk@ - ishell@ is OOO. Adam, can you please merge this M64. It has been approved.

Toon, can you please take a look at merging this? I don't feel comfortable merging without a look from either the reviewer or author of the CL that it's good to merge.

ping

Assigning back to ishell, who should be back from vacation now.

ishell: Uh oh! This issue still open and hasn't been updated in the last 31 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/cc2494c73d8b13c22f55e3e0ec148548756e5603

commit cc2494c73d8b13c22f55e3e0ec148548756e5603
Author: ishell@chromium.org <ishell@chromium.org>
Date: Mon Jan 22 08:51:39 2018

Merged: [classes] Set proper representation during fast class boilerplate instantiation.

Revision: 21a6239113a394a9ce9d0f9d510102c565003f4a

BUG= chromium:791368 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=verwaest@chromium.org

Change-Id: I286663246e94d9b6a1c31b0c2721213c975979d1
Reviewed-on: https://chromium-review.googlesource.com/877885
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.4@{#78}
Cr-Branched-From: 0407506af3d9d7e2718be1d8759296165b218fcf-refs/heads/6.4.388@{#1}
Cr-Branched-From: a5fc4e085ee543cb608eb11034bc8f147ba388e1-refs/heads/master@{#49724}
[modify] https://crrev.com/cc2494c73d8b13c22f55e3e0ec148548756e5603/src/runtime/runtime-classes.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot