Assigning to gsathya, since bisect pointed to a recent CL.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/87b84a341d06d53fbc1f189eede8b2709d864afe

commit 87b84a341d06d53fbc1f189eede8b2709d864afe
Author: gsathya <gsathya@chromium.org>
Date: Wed Dec 07 20:50:57 2016

[promises] Don't allocate new array before filling up existing array

Previously we created 3 FixedArrays and then filled them up with
values. This meant that during the creation of the second and third
FixedArray, there were one and two FixedArrays respectively, without
any values in it which broke the FixedArrayVerify.

This patch fills each FixedArray with the correct values before
creating new ones.

BUG= chromium:672051 

Review-Url: https://codereview.chromium.org/2554323003
Cr-Commit-Position: refs/heads/master@{#41564}

[modify] https://crrev.com/87b84a341d06d53fbc1f189eede8b2709d864afe/src/builtins/builtins-promise.cc

ClusterFuzz has detected this issue as fixed in range 41545:41546.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6559282956075008

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  p->IsSmi() in objects-debug.cc
  
Regressed: V8: r41533:41534
Fixed: V8: r41545:41546

Minimized Testcase (2.16 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95wG-jsqnGKDiGalFBrQVnTxw2-Q44C4OFaoEx2cTSwkCeK-350Y-XgtHtaxS66KZg57QmFA5PJRuj8-r3kLiAWbbxC_t6VQI4xWWxqoOariGknyfWNnCjmd-02sdyU1gTLGNcvwPwIFOUA0ijadPkh2s8Yyw?testcase_id=6559282956075008

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.