Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/9f28c129a0fe25eb6adab6e5ff92576e0381e6f4 ([async] Introduce the notion of a "current microtask".).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

It's not a security issue, and definitely not a blocker, since it requires both --expose-async-hooks (which is test-only flag) and --async-stack-traces (which is off by default right now).

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2a08adbb6b6a542047628b1258dff63a7f0e99ef

commit 2a08adbb6b6a542047628b1258dff63a7f0e99ef
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Mon Oct 22 07:06:22 2018

[async] Gracefully handle suspended generators.

With async_hooks it's also possible that the "current microtask" is an
await task, whose generator is already suspended, when there's an
exception thrown in the AFTER callback. In that case we cannot build
a meaningful async stack trace.

Bug:  chromium:897406 ,  v8:7522 
Change-Id: I682dc1fc3ebb1864e1c2061041ff99ced0313f0c
Reviewed-on: https://chromium-review.googlesource.com/c/1292057
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56839}
[modify] https://crrev.com/2a08adbb6b6a542047628b1258dff63a7f0e99ef/src/isolate.cc
[add] https://crrev.com/2a08adbb6b6a542047628b1258dff63a7f0e99ef/test/mjsunit/regress/regress-crbug-897406.js

ClusterFuzz has detected this issue as fixed in range 56838:56839.

Detailed report: https://clusterfuzz.com/testcase?key=5196707716136960

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  generator_object->is_executing() in isolate.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=56589:56590
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=56838:56839

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5196707716136960

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5196707716136960 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Issue 897621 has been merged into this issue.