Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/68e4d86c6e909093bcdea3efb3f91914529e9314 ([turbofan] Inline multi-parameter Array#push.).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/82b3ac945cc8694d95111f823107ddc47c6cc0a2

commit 82b3ac945cc8694d95111f823107ddc47c6cc0a2
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Fri Nov 03 10:38:51 2017

[turbofan] Properly handle Array.prototype and Object.prototype in the runtime.

We don't use ICs for the Array.prototype and the Object.prototype
because the runtime has to be able to intercept them properly (for the
global protectors). So we better make sure that TurboFan doesn't
outsmart the system by storing to elements of either prototype directly.

Bug:  chromium:781116 
Change-Id: I0f521601ef02c1b21018abd1bf1028fd8a811e84
Reviewed-on: https://chromium-review.googlesource.com/753089
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49101}
[modify] https://crrev.com/82b3ac945cc8694d95111f823107ddc47c6cc0a2/src/compiler/node-properties.cc
[add] https://crrev.com/82b3ac945cc8694d95111f823107ddc47c6cc0a2/test/mjsunit/regress/regress-crbug-781116-1.js
[add] https://crrev.com/82b3ac945cc8694d95111f823107ddc47c6cc0a2/test/mjsunit/regress/regress-crbug-781116-2.js

ClusterFuzz has detected this issue as fixed in range 49100:49101.

Detailed report: https://clusterfuzz.com/testcase?key=5339828970586112

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  false == cell_reports_intact in isolate.cc
  v8::internal::Isolate::IsFastArrayConstructorPrototypeChainIntact
  v8::internal::compiler::CanInlineArrayResizeOperation
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=47939:47940
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49100:49101

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5339828970586112

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5339828970586112 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot