CF points to 8de3a3bcf9d3e59afdcbf7309561c5f09e27ceae.
The sample hits debug break embedded into the optimized code and segfaults upon continuation.

Reproduces also on x64.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+ awhalley@ could you pls triage as this is marked as M65 stable blocker?

Pls note M65 is going to stable next week. Thanks.

I'm OK tracking this in 66

I looked into it. It is not a security issue for sure, but only a stability problem. There is a trivial fix that's very safe to back-merge (disabling a small and probably unimportant optimization). It does affect M65, but I don't expect this to be frequent in the wild. I will upload the patch in a moment.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b8abd2736e9a05ecce18ab730d48c0e7df5d2f65

commit b8abd2736e9a05ecce18ab730d48c0e7df5d2f65
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Fri Mar 02 14:19:59 2018

[turbofan] remove type-widening NaN-addition folding

Folding _ + NaN => NaN can widen type None to a constant type, which leads to floating DeadValue nodes. This CL fixes this by removing the optimization. Alternatively, we should consider removing all nodes of type None in simplified lowering.

Bug:  chromium:817225 
Change-Id: I2a126b360d70d3626f8a3c5e73ac72dc980ac8b3
Reviewed-on: https://chromium-review.googlesource.com/946129
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51699}
[modify] https://crrev.com/b8abd2736e9a05ecce18ab730d48c0e7df5d2f65/src/compiler/machine-operator-reducer.cc
[add] https://crrev.com/b8abd2736e9a05ecce18ab730d48c0e7df5d2f65/test/mjsunit/compiler/regress-817225.js

ClusterFuzz has detected this issue as fixed in range 51698:51699.

Detailed report: https://clusterfuzz.com/testcase?key=6684685439336448

Fuzzer: mbarbella_js_mutation
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0xffffafffffffffff
Crash State:
  v8::internal::Simulator::LoadStoreHelper
  v8::internal::Simulator::Run
  v8::internal::Simulator::CallImpl
  
Sanitizer: memory (MSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=50339:50340
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=51698:51699

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6684685439336448

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6684685439336448 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Is this need a merge to M66? If yes, pls request a merge to M66.

Your change meets the bar and is auto-approved for M66. Please go ahead and merge the CL to branch 3359 manually. Please contact milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), josafat@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Pls merge your change to M66 branch 3359 ASAP so we can pick it up for next M66 Dev release. Thank you.

Pls merge your change to M66 branch 3359 ASAP so we can pick it up for next M66 Dev release. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b3f3ae3316baee30aa34a2e45c259b64498334d2

commit b3f3ae3316baee30aa34a2e45c259b64498334d2
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Tue Mar 06 10:26:00 2018

Merged: [turbofan] remove type-widening NaN-addition folding

Revision: b8abd2736e9a05ecce18ab730d48c0e7df5d2f65

BUG= chromium:817225 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=jarin@chromium.org

Change-Id: I9bd5986843bb7d7d1b5e298f148db41642c2a2d7
Reviewed-on: https://chromium-review.googlesource.com/950882
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.6@{#9}
Cr-Branched-From: d500271571b92cb18dcd7b15885b51e8f437d640-refs/heads/6.6.346@{#1}
Cr-Branched-From: 265ef0b635f8761df7c89eb4e8ec9c1a6ebee184-refs/heads/master@{#51624}
[modify] https://crrev.com/b3f3ae3316baee30aa34a2e45c259b64498334d2/src/compiler/machine-operator-reducer.cc
[add] https://crrev.com/b3f3ae3316baee30aa34a2e45c259b64498334d2/test/mjsunit/compiler/regress-817225.js