Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/5cfe1a6b121ad004ec3d73b137f84f558aac0efd ([es2015] Change JSArrayBufferView::byte_length/byte_offset to uintptr_t.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/129f7701489c4a9dee0bffac8a5d638f35955842

commit 129f7701489c4a9dee0bffac8a5d638f35955842
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Fri Sep 21 12:02:12 2018

[es2015] Setup JSTypedArray after allocating the JSArrayBuffer.

When constructing a TypedArray by length, only actually setup the
JSTypedArray instance once the buffer is allocated, as only at that
time it's known whether the byte length is fine. Otherwise we confuse
the heap verifier.

Bug:  chromium:887891 
Change-Id: I407ff9a2a053dd11ef764e4e32f482abb27eb0a8
Reviewed-on: https://chromium-review.googlesource.com/1238494
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56131}
[modify] https://crrev.com/129f7701489c4a9dee0bffac8a5d638f35955842/src/builtins/builtins-typed-array-gen.cc
[add] https://crrev.com/129f7701489c4a9dee0bffac8a5d638f35955842/test/mjsunit/regress/regress-crbug-887891.js

ClusterFuzz has detected this issue as fixed in range 56130:56131.

Detailed report: https://clusterfuzz.com/testcase?key=6102820754030592

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  byte_length() <= JSArrayBuffer::kMaxByteLength in objects-debug.cc
  v8::internal::JSArrayBufferView::JSArrayBufferViewVerify
  v8::internal::JSTypedArray::JSTypedArrayVerify
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=56007:56008
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm_dbg&range=56130:56131

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6102820754030592

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6102820754030592 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot