ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://clusterfuzz.com/testcase?key=6233928351088640.

Detailed report: https://clusterfuzz.com/testcase?key=6233928351088640

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !is_the_hole(index) in fixed-array-inl.h
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=45323:45324

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6233928351088640

See https://github.com/google/clusterfuzz-tools for more information.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/cd33ec554285b7d0299d636ccebe539c85fd700a ([runtime] avoid trim/grow loop when adding and removing one element).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Tobias, is this a security vulnerability, if not please remove security tags and change Type-Bug-Security -> Type-Bug.

I'm confident this is not a security issue. It is just a correctness issue in weird and probably rare circumstances.
I described the root cause in my WIP fix: https://chromium-review.googlesource.com/c/v8/v8/+/1293571

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5b92f91ccdfedb3fed03d3bbaa8fec2d99520b98

commit 5b92f91ccdfedb3fed03d3bbaa8fec2d99520b98
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Tue Oct 23 09:07:37 2018

[elements] handle OOB-holes in Array.prototype.includes fast-path

In the ElementsAccessor fast-path for Array.prototype.includes, we
iterate backing-store elements according to start and length numbers
which might or might not be within the JSArray::length field, for
example when side-effects changed the receiver while start and length
are computed. So even when we have a packed ElementsKind, we might still
observe the hole. This is fine, since logical out-of-bounds accesses
are safe in this case, but it means we must not rely on the
ElementsKind telling us if we can encounter holes.

Bug:  chromium:897098 
Change-Id: I17db38246aef6edbdd5cee30598cbf7619aba6d8
Reviewed-on: https://chromium-review.googlesource.com/c/1293571
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56884}
[modify] https://crrev.com/5b92f91ccdfedb3fed03d3bbaa8fec2d99520b98/src/elements.cc
[add] https://crrev.com/5b92f91ccdfedb3fed03d3bbaa8fec2d99520b98/test/mjsunit/regress/regress-crbug-897098.js

ClusterFuzz has detected this issue as fixed in range 56883:56884.

Detailed report: https://clusterfuzz.com/testcase?key=6233928351088640

Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  !is_the_hole(index) in fixed-array-inl.h
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=45323:45324
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=56883:56884

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6233928351088640

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6233928351088640 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.