Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

[esnext] Implement String.prototype.{trimStart,trimEnd} by mathias@chromium.org - https://chromium.googlesource.com/v8/v8/+/e0e8431d92ae9851047d31cbdc54f6d201da7111

Reland "[typedarray] Port ConstructByTypedArray to CSA." by petermarshall@chromium.org - https://chromium.googlesource.com/v8/v8/+/d84fc353dabfec34411fcba61f482c6868f5c41a

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Pls apply appropriate OSs label. Thank you.

Taking a look

This bisects to Sigurd's CL: https://chromium.googlesource.com/v8/v8/+/932dc50fbbb26ac58cf71fd4438a801ad77fa98c

Also, it seems to crash in Reduce. There is a failing CSA assert in debug mode:

abort: CSA_ASSERT failed: IsHeapNumber(left) [../../src/code-stub-assembler.cc:8234]

Here is a smaller repro:
for (let i = 0; i < 5000; i++) {
  try {
    [].reduce(function() {});
  } catch (x) {
  }
}

Could you take a look Sigurd?

This has also been found by v8 testing infrastructure, see 

https://bugs.chromium.org/p/v8/issues/detail?id=7336

Fix is on the way.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9e47513ae27d12ba3195bc445bf7112c9419cb15

commit 9e47513ae27d12ba3195bc445bf7112c9419cb15
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Mon Jan 22 12:14:06 2018

[turbofan] Fix deoptimization framestate in A.p.reduce[Right]

Array.prototype.reduce[Right] used a lazy deoptimization frame
state for an eager deopt point.

Bug:  v8:7336 ,  chromium:804096 
Change-Id: I720f9e049bd6b396e025fa59192fdbc6b4f18647
Reviewed-on: https://chromium-review.googlesource.com/878120
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Daniel Clifford <danno@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50752}
[modify] https://crrev.com/9e47513ae27d12ba3195bc445bf7112c9419cb15/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/9e47513ae27d12ba3195bc445bf7112c9419cb15/src/deoptimize-reason.h
[add] https://crrev.com/9e47513ae27d12ba3195bc445bf7112c9419cb15/test/mjsunit/regress/regress-804096.js

Please add affected OSs.

ClusterFuzz has detected this issue as fixed in range 530904:530909.

Detailed report: https://clusterfuzz.com/testcase?key=6011640893145088

Job Type: linux_asan_chrome_mp
Crash Type: UNKNOWN READ
Crash Address: 0x0020bfff8006
Crash State:
  v8::internal::Sweeper::EnsurePageIsIterable
  v8::internal::Heap::GcSafeFindCodeForInnerPointer
  v8::internal::InnerPointerToCodeCache::GetCacheEntry
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=530701:530716
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=530904:530909

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6011640893145088

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6011640893145088 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 530904:530909.

Detailed report: https://clusterfuzz.com/testcase?key=6011640893145088

Job Type: linux_asan_chrome_mp
Crash Type: UNKNOWN READ
Crash Address: 0x0020bfff8006
Crash State:
  v8::internal::Sweeper::EnsurePageIsIterable
  v8::internal::Heap::GcSafeFindCodeForInnerPointer
  v8::internal::InnerPointerToCodeCache::GetCacheEntry
  
Sanitizer: address (ASAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=530701:530716
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=530904:530909

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6011640893145088

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot