Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/5a70a5ea0ac87b3bfa819b5a546fe3f115594997 ([memory] Save space in the FeedbackMetadata on 64 bit platforms.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This check is only enabled in heap verification which is only on in debug builds AFAIK. This is not a security issue, just an incorrect CHECK.

A shorter repro:

var arr = [];
for (var i = 1; i != 390000; ++i) {
  arr.push("f()");
}
new Function(arr.join());

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a0dbaf590a2ce93aa84130f6ca4b356939e7d4ec

commit a0dbaf590a2ce93aa84130f6ca4b356939e7d4ec
Author: Peter Marshall <petermarshall@chromium.org>
Date: Thu Jul 12 12:55:28 2018

[runtime] Allow FeedbackMetadata objects in old space for verification

When we changed FeedbackMetadata to be it's own type instead of a
subtype of FixedArray, we missed this check for valid objects in old
space. This restores the old behavior during verification.

Bug:  chromium:862433 
Change-Id: Icdb144df4aebc0c6d78a28405c7f53e40b2e1376
Reviewed-on: https://chromium-review.googlesource.com/1134995
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54408}
[modify] https://crrev.com/a0dbaf590a2ce93aa84130f6ca4b356939e7d4ec/src/heap/spaces.cc
[add] https://crrev.com/a0dbaf590a2ce93aa84130f6ca4b356939e7d4ec/test/mjsunit/regress/regress-862433.js

ClusterFuzz has detected this issue as fixed in range 54407:54408.

Detailed report: https://clusterfuzz.com/testcase?key=6522192972742656

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  object->IsAbstractCode() || object->IsSeqString() || object->IsExternalString() 
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=51841:51842
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=54407:54408

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6522192972742656

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6522192972742656 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Removing security flags based on c#4.