Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/38525dd209f1e77d43df025f6435b839fa05723c ([reland] [in-place weak refs] Use WeakArray in Script::shared_function_infos.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Yea this is mine. Working on a fix. I just need to extend the list of allowed types in this CHECK.

Without heap verification, everything should be working OK as is, so no merges needed + no security impact.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c

commit 96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c
Author: Marja Hölttä <marja@chromium.org>
Date: Mon May 07 09:53:14 2018

[in-place weak refs] Fix: allow weak array types in large object space.

BUG=v8:7308, chromium:839953 

Change-Id: I3738dc8169730763a587a2452421a54aff11e38e
Reviewed-on: https://chromium-review.googlesource.com/1046645
Commit-Queue: Marja Hölttä <marja@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53016}
[modify] https://crrev.com/96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c/src/heap/spaces.cc
[add] https://crrev.com/96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c/test/mjsunit/regress/regress-839953.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/08bfc14b68846ab2aef7898e0f86cb6db1fd12e2

commit 08bfc14b68846ab2aef7898e0f86cb6db1fd12e2
Author: Michael Achenbach <machenbach@chromium.org>
Date: Mon May 07 11:52:17 2018

Revert "[in-place weak refs] Fix: allow weak array types in large object space."

This reverts commit 96186c4f1a9a05bc4f2b4fde7739f20b9ee6d10c.

Reason for revert: All gc stress bots time out:
https://build.chromium.org/p/client.v8/builders/V8%20Linux%20-%20gc%20stress/builds/16361

Original change's description:
> [in-place weak refs] Fix: allow weak array types in large object space.
> 
> BUG=v8:7308, chromium:839953 
> 
> Change-Id: I3738dc8169730763a587a2452421a54aff11e38e
> Reviewed-on: https://chromium-review.googlesource.com/1046645
> Commit-Queue: Marja Hölttä <marja@chromium.org>
> Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#53016}

TBR=ulan@chromium.org,marja@chromium.org

Change-Id: I030638c27fd8990b9dab3d25a582039fb893bf78
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Bug: v8:7308,  chromium:839953 
Reviewed-on: https://chromium-review.googlesource.com/1046549
Reviewed-by: Michael Achenbach <machenbach@chromium.org>
Commit-Queue: Michael Achenbach <machenbach@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53019}
[modify] https://crrev.com/08bfc14b68846ab2aef7898e0f86cb6db1fd12e2/src/heap/spaces.cc
[delete] https://crrev.com/7235c8515a46a5aa2ee79495d427726ee78ac92b/test/mjsunit/regress/regress-839953.js

Looks like this got reverted.  Re-opening. Also looks like we can track this as a functional issue rather than as security issue.

The reland was missing the bug number, but it's this one:

https://chromium-review.googlesource.com/c/v8/v8/+/1046653

ClusterFuzz has detected this issue as fixed in range 53030:53031.

Detailed report: https://clusterfuzz.com/testcase?key=5966413202980864

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() 
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=52026:52027
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=53030:53031

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5966413202980864

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5966413202980864 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot