Reproduces since a long time.

Fails around these lines:

 97     v8::Local<v8::Value> prototype_value;                                        
 98     bool get_prototype_value =                                                   
 99         interface_object->Get(context, V8AtomicString(isolate, "prototype"))     
100             .ToLocal(&prototype_value);                                          
101     CHECK(get_prototype_value);                                                  

At that point, nothing is wrong. However, there is still a scheduled exception from a previous call into v8. It was generated here:

#0  0x00007f14c3b70cc7 in v8::internal::Isolate::ScheduleThrow(v8::internal::Object*)
#1  0x00007f14c30e0e2c in v8::Isolate::ThrowException(v8::Local<v8::Value>)
#2  0x00007f14bdc64266 in blink::V8ThrowException::ThrowException(v8::Isolate*, v8::Local<v8::Value>)
#3  0x00007f14bdc63d5c in blink::V8ThrowException::ThrowError(v8::Isolate*, WTF::String const&)
#4  0x00007f14bfea4a94 in blink::(anonymous namespace)::ThrowScriptForbiddenException(v8::Isolate*)
#5  0x00007f14bfea68a9 in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*)
#6  0x00007f14c094d568 in blink::WebLocalFrameImpl::CallFunctionEvenIfScriptDisabled(v8::Local<v8::Function>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*)
#7  0x00007f14bb22e802 in test_runner::AccessibilityController::NotificationReceived(blink::WebAXObject const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&)
#8  0x00007f14bb30606e in test_runner::WebFrameTestClient::PostAccessibilityEvent(blink::WebAXObject const&, blink::WebAXEvent)
#9  0x00000000016d37f5 in test_runner::WebFrameTestProxy<content::RenderFrameImpl, content::RenderFrameImpl::CreateParams>::PostAccessibilityEvent(blink::WebAXObject const&, blink::WebAXEvent)
#10 0x00007f14bc718457 in blink::AXObjectCacheImpl::PostPlatformNotification(blink::AXObject*, blink::AXObjectCacheImpl::AXNotification)
#11 0x00007f14bc719ab4 in blink::AXObjectCacheImpl::HandleScrollPositionChanged(blink::LayoutObject*)
#12 0x00007f14c129de63 in blink::PaintLayerScrollableArea::UpdateScrollOffset(blink::FloatSize const&, blink::ScrollType)
#13 0x00007f14be0d2ef1 in blink::ScrollableArea::ScrollOffsetChanged(blink::FloatSize const&, blink::ScrollType)
#14 0x00007f14be0d2c7c in blink::ScrollableArea::SetScrollOffset(blink::FloatSize const&, blink::ScrollType, blink::ScrollBehavior)
#15 0x00007f14c12a1a44 in blink::PaintLayerScrollableArea::ClampScrollOffsetAfterOverflowChange()
#16 0x00007f14c12a03d4 in blink::PaintLayerScrollableArea::UpdateAfterLayout()
#17 0x00007f14c127d519 in blink::PaintLayer::UpdateSizeAndScrollingAfterLayout()
#18 0x00007f14c0df43c4 in blink::LayoutBox::UpdateAfterLayout()
#19 0x00007f14c0da36eb in blink::LayoutBlock::UpdateAfterLayout()
#20 0x00007f14c0db8985 in blink::LayoutBlockFlow::UpdateBlockLayout(bool)
#21 0x00007f14c0da38d0 in blink::LayoutBlock::UpdateLayout()
#22 0x00007f14c0dbd390 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&)
#23 0x00007f14c0dbd750 in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&)
#24 0x00007f14c0dbbbc9 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
#25 0x00007f14c0db8c34 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&)
#26 0x00007f14c0db8627 in blink::LayoutBlockFlow::UpdateBlockLayout(bool)
#27 0x00007f14c0da38d0 in blink::LayoutBlock::UpdateLayout()
#28 0x00007f14c0dbd390 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&)
#29 0x00007f14c0dbd750 in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&)
#30 0x00007f14c0dbbbc9 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
#31 0x00007f14c0db8c34 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&)
#32 0x00007f14c0db8627 in blink::LayoutBlockFlow::UpdateBlockLayout(bool)
#33 0x00007f14c0da38d0 in blink::LayoutBlock::UpdateLayout()
#34 0x00007f14c0dbd390 in blink::LayoutBlockFlow::PositionAndLayoutOnceIfNeeded(blink::LayoutBox&, blink::LayoutUnit, blink::BlockChildrenLayoutInfo&)
#35 0x00007f14c0dbd750 in blink::LayoutBlockFlow::LayoutBlockChild(blink::LayoutBox&, blink::BlockChildrenLayoutInfo&)
#36 0x00007f14c0dbbbc9 in blink::LayoutBlockFlow::LayoutBlockChildren(bool, blink::SubtreeLayoutScope&, blink::LayoutUnit, blink::LayoutUnit)
#37 0x00007f14c0db8c34 in blink::LayoutBlockFlow::LayoutChildren(bool, blink::SubtreeLayoutScope&)
#38 0x00007f14c0db8627 in blink::LayoutBlockFlow::UpdateBlockLayout(bool)
#39 0x00007f14c0f14c49 in blink::LayoutView::UpdateBlockLayout(bool)
#40 0x00007f14c0da38d0 in blink::LayoutBlock::UpdateLayout()
#41 0x00007f14c0f15494 in blink::LayoutView::UpdateLayout()
#42 0x00007f14c08c845a in blink::LocalFrameView::PerformLayout(bool)
#43 0x00007f14c08c4d8a in blink::LocalFrameView::UpdateLayout()
#44 0x00007f14c0428bec in blink::Document::UpdateStyleAndLayout()
#45 0x00007f14c0428995 in blink::Document::UpdateStyleAndLayoutIgnorePendingStylesheets(blink::Document::RunPostLayoutTasks)
#46 0x00007f14c05c196f in blink::DeleteSelectionCommand::FixupWhitespace()
#47 0x00007f14c05c3a66 in blink::DeleteSelectionCommand::DoApply(blink::EditingState*)
#48 0x00007f14c05ae352 in blink::CompositeEditCommand::ApplyCommandToComposite(blink::EditCommand*, blink::EditingState*)
#49 0x00007f14c05b0671 in blink::CompositeEditCommand::DeleteSelection(blink::EditingState*, blink::DeleteSelectionOptions const&)
#50 0x00007f14c05e99e0 in blink::ReplaceSelectionCommand::InsertParagraphSeparatorIfNeeds(blink::VisibleSelectionTemplate<blink::EditingAlgorithm<blink::NodeTraversal> > const&, blink::ReplacementFragment const&, blink::EditingState*)
#51 0x00007f14c05ea3e5 in blink::ReplaceSelectionCommand::DoApply(blink::EditingState*)
#52 0x00007f14c05ae0a3 in blink::CompositeEditCommand::Apply()
#53 0x00007f14c05d5a6e in blink::InsertCommands::ExecuteInsertFragment(blink::LocalFrame&, blink::DocumentFragment*)
#54 0x00007f14c05d5f98 in blink::InsertCommands::ExecuteInsertHTML(blink::LocalFrame&, blink::Event*, blink::EditorCommandSource, WTF::String const&)
#55 0x00007f14c05cb2b0 in blink::EditorCommand::Execute(WTF::String const&, blink::Event*)
#56 0x00007f14c05c5196 in blink::Document::execCommand(WTF::String const&, bool, WTF::String const&, blink::ExceptionState&)
#57 0x00007f14c1937c61 in blink::DocumentV8Internal::execCommandMethod(v8::FunctionCallbackInfo<v8::Value> const&)
#58 0x00007f14c193714a in blink::V8Document::execCommandMethodCallback(v8::FunctionCallbackInfo<v8::Value> const&)
#59 0x00007f14c322da33 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*)
#60 0x00007f14c322b870 in v8::internal::(anonymous namespace)
#61 0x00007f14c3229ffc in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*)
#62 0x00007f14c3229bad in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*)

Frame #42 contains a ScriptForbiddenScope, but frame #7 calls out into v8.

Not a v8 issue, setting component "Blink>Layout" for frame #7 and "Blink>Internals" for frame #42.

Unable to provide possible suspect using Predator, CL and Code Search.
Could someone please look into the issue.

Thank You...

Looks like something goes wrong when updating the scroll position

ClusterFuzz has detected this issue as fixed in range 579329:579330.

Detailed report: https://clusterfuzz.com/testcase?key=6174853783355392

Fuzzer: ochang_domfuzzer
Job Type: windows_asan_content_shell
Platform Id: windows

Crash Type: CHECK failure
Crash Address: 
Crash State:
  get_prototype_value in v8_object_constructor.cc
  blink::V8ObjectConstructor::CreateInterfaceObject
  blink::V8PerContextData::ConstructorForTypeSlowCase
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=531299:531319
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_content_shell&range=579329:579330

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6174853783355392

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6174853783355392 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.