Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/4ef4deae6eb3277b0ce63908661bac9f64eea386 ([runtime] Change the default values of Proxy.prototype to undefined from null).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 54856:54857.

Detailed report: https://clusterfuzz.com/testcase?key=5786025939697664

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  receiver->IsJSFunction() in objects.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=54744:54745
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=54856:54857

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5786025939697664

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5786025939697664 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ (Security TPM) for M69 merge review. 

I don't see any cl here, is there anything to merge to M69?

The only CL in the fix range is: https://chromium.googlesource.com/v8/v8/+/92220026b2c4e490a78ca709e9cb9e336ef62e3a which is tracked as  issue 868473 . Could track the merge request (which LGTM) here or there I suppose.

+ hablich@, PTAL comment #14.

+1 to what Andrew said. Let's simply use this bug here.

This bug was fixed in https://chromium-review.googlesource.com/c/v8/v8/+/1158833.

Please merge this bug to 6.9. Instructions can be found at https://github.com/v8/v8/wiki/Merging-&-Patching

This is solely a correctness issue.
There is a hard CHECK failure which means that there cannot be an exploit.

Given that the current fixes (all landed only in M70) cause some slight performance regressions, we decided to not do the backmerges.

Sounds good, thanks!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot