ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6630464685867008.

scdengyuan: Thanks for the report!

ishell: Can you please take a look or reassign? Thanks.

ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=4698965111734272.

Detailed report: https://clusterfuzz.com/testcase?key=4698965111734272

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  enumeration_index > 0 in lookup.cc
  v8::internal::LookupIterator::ReconfigureDataProperty
  v8::internal::JSObject::DefineOwnPropertyIgnoreAttributes
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49456:49457

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4698965111734272

See https://github.com/google/clusterfuzz-tools for more information.

https://chromium.googlesource.com/v8/v8/+/cc9e77abe8497578a967259f643dcfb12e134fdb is the only CL in the regression range.

Friendly ping. :)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e602c90abcc60f039708d46810ea0cc660ac5bfc

commit e602c90abcc60f039708d46810ea0cc660ac5bfc
Author: Igor Sheludko <ishell@chromium.org>
Date: Mon Jun 18 12:45:02 2018

Properly set enumeration order for accessor properties in class literals.

Bug:  chromium:848165 
Change-Id: I1ec18bf12f53c24f388dbd529fe62e990fbc8783
Reviewed-on: https://chromium-review.googlesource.com/1104175
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53793}
[modify] https://crrev.com/e602c90abcc60f039708d46810ea0cc660ac5bfc/src/objects/literal-objects.cc
[add] https://crrev.com/e602c90abcc60f039708d46810ea0cc660ac5bfc/test/mjsunit/regress/regress-crbug-848165.js

Thank you for the report!

This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Please verify the fix in canary.

+ awhalley@ for M68 merge review after canary verification/coverage.

ClusterFuzz has detected this issue as fixed in range 53792:53793.

Detailed report: https://clusterfuzz.com/testcase?key=4698965111734272

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  enumeration_index > 0 in lookup.cc
  v8::internal::LookupIterator::ReconfigureDataProperty
  v8::internal::JSObject::DefineOwnPropertyIgnoreAttributes
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49456:49457
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=53792:53793

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4698965111734272

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4698965111734272 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Hi ishell@ - the VRP panel was wondering if you could provide some insight into what could go wrong here, we couldn't see a clear route to RCE.

I'm sorry, I think there's no route to RCE, it's a correctness issue with a trivial fix.

awhalley@ is a merge still needed for this?

abdulsyed@ - no merge needed from a security point of view. ishell@, please re-add merge-request if the correctness issue requires a merge. Cheers!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot