The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d98dfd8b9b68635c3b974e1d91be414304dec35c

commit d98dfd8b9b68635c3b974e1d91be414304dec35c
Author: bmeurer <bmeurer@chromium.org>
Date: Wed Apr 12 04:32:05 2017

Revert "[turbofan] Avoid going through ArgumentsAdaptorTrampoline for CSA/C++ builtins."

This reverts commit 9df5674bd53b4a262e72f45263df9e886842c269 because it
is not compatible with the way that Array.prototype.reduceRight and
Array.prototype.reduce deal with optional parameters at this point (i.e.
parameters where the behavior is different depending on whether the
parameter was skipped or undefined was passed).

In general, it might be better to not adapt arguments for builtins with
optional paramters, that are likely skipped, for example as in
Object.create or Array.prototype.reduce. Since that will require
arguments adaptor frames for normal calls, especially from baseline
code. Instead it might make sense to use the variadic arguments support
in the CodeStubAssembler instead to avoid the arguments adaptor in all
cases (not only when called from TurboFan optimized code).

BUG=v8:5267, chromium:709782 , chromium:707992 , chromium:708282 , chromium:708599 , chromium:709173 , chromium:709747 , chromium:707065 , chromium:710417 
TBR=danno@chromium.org

Review-Url: https://codereview.chromium.org/2817653002
Cr-Commit-Position: refs/heads/master@{#44593}

[modify] https://crrev.com/d98dfd8b9b68635c3b974e1d91be414304dec35c/src/compiler/js-call-reducer.cc

ClusterFuzz has detected this issue as fixed in range 44592:44593.

Detailed report: https://clusterfuzz.com/testcase?key=5226258591121408

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 5ee
  
Sanitizer: address (ASAN)

Regressed: V8: 44217:44218
Fixed: V8: 44592:44593

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95ghbhEjDh-IDlGWYdNaFagqkZ4_dLXvEvy-EPK3kgK8SwmpGUdglbO1fZ3OyfNEemm_oXZF_PahhNZNeRG9Z6Mimd-gTi47l8mok8CJSPbk0vJL32jrzE_ienui8qNl4Ryix4K4ZEp-YsFz9qkFxMqo2u6SFPr2SJ8r0ltBWHaXYHfG-8Rg8_QQMKSoSyVoPU1xPISqTyGjpORay9MGkeQVN1m9IWahuK2YzuAp9wRaooqX-N4N9nJ0OP6sg8jjg6hcmoC_iQ19ybBpAVHdQwAJSUOtz0g2ujB4mt_Xxa6jVvvHlXbDcJjOT6olCnfe5EqOQKXMWIo16g3Ap6ZnMXlDWTfzRFJcvaBUKkxZzpw7ih0mBYjyajAvV81-LsspTtt3GqoWjFrOrXFBP51q2ScjucAPA?testcase_id=5226258591121408


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ddf03166c01372d8da269cfaa00188e3113465ce

commit ddf03166c01372d8da269cfaa00188e3113465ce
Author: Michael Hablich <hablich@chromium.org>
Date: Thu Apr 13 12:23:05 2017

Merged: Revert "[turbofan] Avoid going through ArgumentsAdaptorTrampoline for CSA/C++ builtins."

Revision: d98dfd8b9b68635c3b974e1d91be414304dec35c

BUG= chromium:707065 , chromium:707992 , chromium:708282 , chromium:708599 , chromium:709173 , chromium:709747 , chromium:709782 , chromium:710417 ,v8:5267
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=bmeurer@chromium.org

Change-Id: I2363c9012d7107e5e246d46bf6938bead642b486
Reviewed-on: https://chromium-review.googlesource.com/476351
Reviewed-by: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.9@{#4}
Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1}
Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591}
[modify] https://crrev.com/ddf03166c01372d8da269cfaa00188e3113465ce/src/compiler/js-call-reducer.cc