Regression range and repro points towards CPP builtins inlining.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4723600110387200

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  4 == args.length() in builtins-object.cc
  
Regressed: V8: r38757:38758

Minimized Testcase (8.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ATym9pdM-eREs115sd8Nv47nGAynEvVBOvbJh4yXUvZ4pcYu3HCCX3A8MqXkROitsndXE_yYAzGOtncLGFwshxyrHDZONGORWlFScia030GarKYP-E4W_K-jazerpx8QAr_E0iWK3P7zsVUD1iVF9K10XrA?testcase_id=4723600110387200

Issue manually filed by: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

As per request, here is one repro ...

"use strict";
function foo() {
  for  (var i = 0; i < 10000; i++) {
    try {
      for (;;) { toLocaleString(__defineSetter__(parseInt('0x'))) } 
    } catch(e) {
      if (typeof a == "number") return a && isNaN(b);
    }
  }
}
foo();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/be23ef541b7f48e81f7106e8522a510fb0f441b6

commit be23ef541b7f48e81f7106e8522a510fb0f441b6
Author: jgruber <jgruber@chromium.org>
Date: Mon Aug 22 14:55:14 2016

[turbofan] Disable inlining of Cpp builtins in need of argument adaption

Disable inlining of Cpp to a direct CEntryStub call when a call would
require argument adaption, i.e. when argument adaption is enabled for
the given function and the actual argument count differs from the formal
parameter count.

This is intended to be a temporary fix until we either disable argument
adaption for all Cpp builtins or add adaption logic to inlined Cpp
builtins.

BUG= chromium:639752 

Review-Url: https://codereview.chromium.org/2266893002
Cr-Commit-Position: refs/heads/master@{#38788}

[modify] https://crrev.com/be23ef541b7f48e81f7106e8522a510fb0f441b6/src/compiler/js-typed-lowering.cc

ClusterFuzz has detected this issue as fixed in range 38787:38788.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4509688458903552

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  index < length() in builtins-utils.h
  
Regressed: V8: r38757:38758
Fixed: V8: r38787:38788

Minimized Testcase (12.08 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97nmZMA0JyE2tY0-PPEnIDQ_vuy-LDN-k8fNTsva8OFXe8BxIuLQ5tn32h6rijUlw9TitHo_EQMaH6_qJdnvjWiIL0sT79RT7VLP411akd9OMY1PgCl4XzdKgBEgA8NL527cvrSyT2Us6f5-_RC6ad7QT672Q?testcase_id=4509688458903552

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 38787:38788.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4723600110387200

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  4 == args.length() in builtins-object.cc
  
Regressed: V8: r38757:38758
Fixed: V8: r38787:38788

Minimized Testcase (8.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97ATym9pdM-eREs115sd8Nv47nGAynEvVBOvbJh4yXUvZ4pcYu3HCCX3A8MqXkROitsndXE_yYAzGOtncLGFwshxyrHDZONGORWlFScia030GarKYP-E4W_K-jazerpx8QAr_E0iWK3P7zsVUD1iVF9K10XrA?testcase_id=4723600110387200

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot