Bisects to https://chromium.googlesource.com/v8/v8/+/245ab01ad46d0ac5cf307049a9ba5bd2b6b2f0a4

PTAL

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d06d4ce2c4b36d722d4cb788c3962b4e92ab7a47

commit d06d4ce2c4b36d722d4cb788c3962b4e92ab7a47
Author: bmeurer <bmeurer@chromium.org>
Date: Wed Apr 26 12:02:12 2017

[turbofan] Fix lowering of Array constructor with one argument.

Only create a singleton array for Array(len) if Type(len) cannot be
Number, otherwise we might need to throw an exception instead.

BUG= chromium:715404 
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2838123004
Cr-Commit-Position: refs/heads/master@{#44886}

[modify] https://crrev.com/d06d4ce2c4b36d722d4cb788c3962b4e92ab7a47/src/compiler/js-create-lowering.cc
[add] https://crrev.com/d06d4ce2c4b36d722d4cb788c3962b4e92ab7a47/test/mjsunit/regress/regress-crbug-715404.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/23bb8fa9c035191f292826398780267a888b2228

commit 23bb8fa9c035191f292826398780267a888b2228
Author: bmeurer <bmeurer@chromium.org>
Date: Wed Apr 26 17:36:32 2017

[test] Increase test coverage for Array constructor inlining.

This still doesn't cover all the paths yet, since some paths are
impossible to trigger at this point due to the way the CanInlineCall
predicate works on the AllocationSite, which says multiple things:

 - In case of Array(len), the len was always a Smi so far.
 - In case of Array(...args), storing the args didn't change the
   elements kind.
 - In case of Array(len), the len was always less than the initial
   maximum fast element array size.

These conditions are tailored towards Crankshaft and don't really
make a lot of sense in the TurboFan world. We'd need more fine
grained protections, which we will achieve by refactoring the Array
constructor.

BUG= chromium:715404 , v8:6262 
TBR=machenbach@chromium.org

Review-Url: https://codereview.chromium.org/2843033002
Cr-Commit-Position: refs/heads/master@{#44901}

[add] https://crrev.com/23bb8fa9c035191f292826398780267a888b2228/test/mjsunit/compiler/array-constructor.js

ClusterFuzz has detected this issue as fixed in range 44885:44886.

Detailed report: https://clusterfuzz.com/testcase?key=5084811913068544

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: cce
  
Sanitizer: address (ASAN)

Regressed: V8: 44687:44688
Fixed: V8: 44885:44886

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5084811913068544


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.