Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/96e2e8588d851c46be5b948b3479e89cb605a429 (Reland "[bigint] Serialization support for BigInts").

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a16ecd9e9f8ec57cbbcb99e091947ce8a28dbd8b

commit a16ecd9e9f8ec57cbbcb99e091947ce8a28dbd8b
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Tue Mar 13 18:51:11 2018

[bigint] Require --harmony-bigint for deserialization

While deserializing a BigInt with the --harmony-bigint flag off is
harmless in itself, trying to wrap one as an Object (either during
deserialization of a JSValue or later from user code) requires the
BigInt constructor to be available. Since there's no strong reason
to support deserialization of BigInts without the flag, this patch
simply disallows it, which fixes the problem.

Bug:  chromium:820819 
Change-Id: I024a4f13715bbe95ee8eb6e1710e8f47ca227644
Reviewed-on: https://chromium-review.googlesource.com/959802
Reviewed-by: Adam Klein <adamk@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51911}
[modify] https://crrev.com/a16ecd9e9f8ec57cbbcb99e091947ce8a28dbd8b/src/value-serializer.cc

I don't think this has security implications, as BigInts are still behind a flag. The bug was in some corner case around toggling that flag on and off and having certain (custom-created!) local state persist between such sessions.

ClusterFuzz has detected this issue as fixed in range 542962:542972.

Detailed report: https://clusterfuzz.com/testcase?key=5490481828724736

Fuzzer: libFuzzer_v8_serialized_script_value_fuzzer
Job Type: libfuzzer_chrome_asan_debug
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  function->has_prototype_slot() in objects.cc
  v8::internal::JSFunction::EnsureHasInitialMap
  v8::internal::Factory::NewJSObject
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=542095:542101
Fixed: https://clusterfuzz.com/revisions?job=libfuzzer_chrome_asan_debug&range=542962:542972

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5490481828724736

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reference.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5490481828724736 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.