Regression range points to c1699fdeefbd290dc068d097a9c5a420c4bb8978.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/74aa7ff308e64266ce72b04f4dfac160d44b90da

commit 74aa7ff308e64266ce72b04f4dfac160d44b90da
Author: Peter Marshall <petermarshall@chromium.org>
Date: Tue May 02 13:47:29 2017

[builtins] Fix TypedArray.Set for string inputs.

String inputs would end up in the fast-path, crashing because it
expected an array type. Add the fast path explicitly when the source is
a TypedArray, and let everything else fall back to the generic JS
implementation.

Bug:  chromium:715971 
Change-Id: Ieec28e93279047d403e00ed2676dc1eda193c033
Reviewed-on: https://chromium-review.googlesource.com/493226
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45034}
[modify] https://crrev.com/74aa7ff308e64266ce72b04f4dfac160d44b90da/src/js/typedarray.js
[modify] https://crrev.com/74aa7ff308e64266ce72b04f4dfac160d44b90da/test/mjsunit/es6/typedarray.js

ClusterFuzz has detected this issue as fixed in range 45033:45034.

Detailed report: https://clusterfuzz.com/testcase?key=5562915190210560

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[1]->IsJSReceiver() in runtime-typedarray.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 44912:44913
Fixed: V8: 45033:45034

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5562915190210560


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.