Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/7a75da342fe6353e7a2ab3d78bc902217426849a ([Turbofan] Enable reducers to report their name to make reducer tracing clearer).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

The assigned owner "alexandret@google.com" is not able to receive e-mails, please re-triage.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Michi, I think you fixed this recently. Please take a look.

Yes, repro looks the same as one of my regression tests to  issue 768080 . Unfortunately ClusterFuzz seems to think it is not yet fixed, I'll double-check.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2d80e84153db1774357b05544afefd68d03deb3b

commit 2d80e84153db1774357b05544afefd68d03deb3b
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Wed Oct 18 12:02:44 2017

[turbofan] Properly restrict {JSCreate} to constructors.

This makes sure that the lowering of {JSCreate} operator during create
lowering is only applied to operations where both target and new.target
are known to be constructors.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-768080
BUG= chromium:774780 , chromium:768080 

Change-Id: I55a582a3453bba7e14655b594b7714a3940eeaae
Reviewed-on: https://chromium-review.googlesource.com/725332
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#48680}
[modify] https://crrev.com/2d80e84153db1774357b05544afefd68d03deb3b/src/compiler/js-create-lowering.cc
[modify] https://crrev.com/2d80e84153db1774357b05544afefd68d03deb3b/test/mjsunit/regress/regress-crbug-768080.js

ClusterFuzz has detected this issue as fixed in range 48679:48680.

Detailed report: https://clusterfuzz.com/testcase?key=6139914478682112

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  original_constructor->IsConstructor() in js-create-lowering.cc
  v8::internal::compiler::JSCreateLowering::ReduceJSCreate
  v8::internal::compiler::GraphReducer::Reduce
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=46551:46552
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=48679:48680

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6139914478682112

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6139914478682112 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d12f799c23219ed318309a56efb584c933b7948b

commit d12f799c23219ed318309a56efb584c933b7948b
Author: Michael Starzinger <mstarzinger@google.com>
Date: Fri Nov 03 09:38:29 2017

Merged: Squashed multiple commits.

Merged: [turbofan] Fix new.target check in Reflect.construct.
Revision: afd2f580c536343bf74d690a4bdd049cb6309113

Merged: [turbofan] Properly restrict {JSCreate} to constructors.
Revision: 2d80e84153db1774357b05544afefd68d03deb3b

R=bmeurer@chromium.org
BUG= chromium:768080 , chromium:774780 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true

Change-Id: I0d6aee91294aa8d2a187a908a4a9b517126ab1ea
Reviewed-on: https://chromium-review.googlesource.com/753088
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.3@{#50}
Cr-Branched-From: 094a7c93dcdcd921de3883ba4674b7e1a0feffbe-refs/heads/6.3.292@{#1}
Cr-Branched-From: 18b8fbb528a8021e04a029e06eafee50b918bce0-refs/heads/master@{#48432}
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/effect-control-linearizer.h
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/js-create-lowering.cc
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/opcodes.h
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/simplified-operator.cc
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/simplified-operator.h
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/typer.cc
[modify] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/src/compiler/verifier.cc
[add] https://crrev.com/d12f799c23219ed318309a56efb584c933b7948b/test/mjsunit/regress/regress-crbug-768080.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot