Assigning to rcmilroy@. This bisects to a CL by klaasb@ from September.

Related to  issue 635664 . Simplified and cleaned up repro case ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Generate a function {f} containing a large array literal of doubles.
eval("function f() { return [" + String("0.1,").repeat(65535) + "] }");

// Running the function once will initialize the boilerplate.
assertEquals(65535, f().length);

// Running the function again will perform cloning.
assertEquals(65535, f().length);

I'll grab this for a hot minute. :-)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6c620e531268ca6dcdb858a75cc75c68e6b2a44b

commit 6c620e531268ca6dcdb858a75cc75c68e6b2a44b
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Dec 15 10:29:47 2016

Fix usage of literal cloning for large double arrays.

This fixes a corner case where the {FastCloneShallowArrayStub} was used
for literals that are backed by a double backing store and would exceed
limits for new-space allocations on 32-bit architectures. The stub in
question does not support such literals, callers must use the runtime.
Note that this fix is for Ignition as well as FullCodeGenerator.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-672792
BUG= chromium:672792 

Review-Url: https://codereview.chromium.org/2570843002
Cr-Commit-Position: refs/heads/master@{#41713}

[modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/ast/ast.cc
[modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/ast/ast.h
[modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/code-stubs.cc
[modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/code-stubs.h
[modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/compiler/js-create-lowering.cc
[modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/compiler/js-generic-lowering.cc
[modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/crankshaft/hydrogen.cc
[modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/full-codegen/full-codegen.cc
[modify] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/src/interpreter/bytecode-generator.cc
[add] https://crrev.com/6c620e531268ca6dcdb858a75cc75c68e6b2a44b/test/mjsunit/regress/regress-crbug-672792.js

ClusterFuzz has detected this issue as fixed in range 41712:41713.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5981425976475648

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  
Regressed: V8: r39561:39562
Fixed: V8: r41712:41713

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv969X0niAqHZmDAriF3NISmb1JierR_4wykqdrrLb4AfU8V8mRN3JYBz1ZCPIAitMWcfwQ21bQ1iQNa5lVMCEN8ZwIXGau-aZ5qYcy9JOdtYUBoo4fsiLWSHTzftdbyGxSAKKUAaEPmzg5jJJQjOUCueJdoCHg?testcase_id=5981425976475648
__v_5 = eval;
function __f_0(size) {
  var __v_0 = "function f(x) {" +
             "  if (x > 0) return [";
  for (var __v_3 = 0; __v_3 < size; __v_3++) {
    __v_0 += "0.1, ";
  }
  __v_0 += "  ];" +
          "}";
  __v_5(__v_0);
}
__v_4 = 65535;
__f_0(__v_4);
f(1);
f(1);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.