Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/d9f6c685f008ab8b669492b1c10ec44a9883de76 (Reland [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5caee70b664e81ccd57453a64757573aeb070107

commit 5caee70b664e81ccd57453a64757573aeb070107
Author: Caitlin Potter <caitp@igalia.com>
Date: Wed Aug 01 00:30:11 2018

Reland "Reland [CloneObjectIC] overwrite monomorphic/polymorphic feedback if deprecated"

An object with a deprecated Map which has already been cached in
CloneObjectIC feedback is still a valid Map for fast cloning --- but
to be consistent with other ICs, deprecated maps are ignored, and are
expected to be transitioned away from.

If the source object has a deprecated map, the instance is migrated.

BUG=v8:7611,  chromium:867958 ,  chromium:868586 ,  chromium:869342 ,  chromium:869347 ,  chromium:869293 
R=jkummerow@chromium.org, mvstanton@chromium.org

Reviewed-on: https://chromium-review.googlesource.com/1154143
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#54799}
Change-Id: I6e2f7b28c41bb9bd6255441da0f209a97bce5e8f
Reviewed-on: https://chromium-review.googlesource.com/1157142
Cr-Commit-Position: refs/heads/master@{#54830}
[modify] https://crrev.com/5caee70b664e81ccd57453a64757573aeb070107/src/feedback-vector.cc
[modify] https://crrev.com/5caee70b664e81ccd57453a64757573aeb070107/src/ic/ic.cc
[add] https://crrev.com/5caee70b664e81ccd57453a64757573aeb070107/test/mjsunit/es9/regress/regress-867958.js
[add] https://crrev.com/5caee70b664e81ccd57453a64757573aeb070107/test/mjsunit/es9/regress/regress-869342.js

ClusterFuzz has detected this issue as fixed in range 54799:54800.

Detailed report: https://clusterfuzz.com/testcase?key=6391863691706368

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8_dbg
Platform Id: windows

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !IsClearedWeakHeapObject() in maybe-object-inl.h
  v8::platform::PrintStackTrace
  v8::internal::FeedbackNexus::ConfigureCloneObject
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=54798:54799
Fixed: https://clusterfuzz.com/revisions?job=windows_asan_d8_dbg&range=54799:54800

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6391863691706368

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6391863691706368 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M69 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

+awhalley@ (Security TPM) for M69 merge review.

+awhalley@ (Security TPM) for merge review.

govind@ - good for 69

Approving merge to M69 branch 3497 based on comment #12. Please merge ASAP. Thank you.

Please merge your change to M69 branch 3497 by 4:00 PM PT, Monday (08/06) so we can pick it up for next week M69 beta release. Thank you.

It looks like the commit that broke this isn't in M69 currently, merging this would be meaningless without merging the entire train of patches from https://bugs.chromium.org/p/v8/issues/detail?id=7611

Please correct me if I'm wrong about this?

+awhalley@ & hablich@ PTAL comment #15.

That is a lot of patches. +1 to not merging it, seems like it is not super critical security-wise?

Yea, I think it best to wait until M70 in this case, unfortunately.

Well hang on, if this bug is there on the branch, then some part of that train must have landed, in which case merging makes sense. But I’m not sure this is actually repro-able on the branch

I think the security labels are a bit confused - clusterfuzz thinks this is 70 only, and the change in the regression range hasn't been merged to 69 afaict. So I believe there's no merge needed.

Ok, I think we can back off on the merging for all of these related bugs.

Thanks 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot