Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/600641338d160ce2dc82d3cdec0f414946409b81 (Reland "[heap] Mark RO_SPACE as read-only after deserialization").

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fad99f5e2111387d77db50522aebd5fe9c43e681

commit fad99f5e2111387d77db50522aebd5fe9c43e681
Author: Dan Elphick <delphick@chromium.org>
Date: Fri May 11 12:37:55 2018

[objects] Disallow externalizing RO_SPACE 2-byte strings

This was already the case for 1-byte strings. This prevents crashes when
attempting to externalize such strings.

Bug:  chromium:842078 , v8:7464
Change-Id: I3092a6748edaf77b2689f7b6f6b949929998e508
Reviewed-on: https://chromium-review.googlesource.com/1054290
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Dan Elphick <delphick@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53124}
[modify] https://crrev.com/fad99f5e2111387d77db50522aebd5fe9c43e681/src/objects.cc
[add] https://crrev.com/fad99f5e2111387d77db50522aebd5fe9c43e681/test/mjsunit/regress/regress-842078.js

(Adding OS labels for all V8 platforms.)

ClusterFuzz has detected this issue as fixed in range 53123:53124.

Detailed report: https://clusterfuzz.com/testcase?key=5635782929547264

Fuzzer: mbarbella_js_mutation
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: UNKNOWN WRITE
Crash Address: 0x7e8b3a506d58
Crash State:
  v8::internal::String::MakeExternal
  v8::internal::ExternalizeStringExtension::Externalize
  v8::internal::FunctionCallbackArguments::Call
  
Sanitizer: memory (MSAN)

Recommended Security Severity: High

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=53086:53087
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=53123:53124

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5635782929547264

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5635782929547264 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot