Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/0ac7a48ae8c6dbfd1dd4c9e6d5cd4b1a8bd72fe1 ([foozzie] Add slow-path correctness fuzzing variants).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

Simpler repro (works with slow path or slow path opt). Is this different to  issue 800538 ?

function f() {
  v.__defineGetter__("unicode", function() { print("boom") });
}
v = /./;
v[Symbol.split]("abc", { valueOf: f });

// Output:

# Compared x64,ignition with x64,slow_path_opt
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -799967220 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,slow_path_opt:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -799967220 --always-opt --force-slow-path --suppress-asm-messages
#
# Difference:
- boom
#
### Start of configuration x64,ignition:
boom

### End of configuration x64,ignition
#
### Start of configuration x64,slow_path_opt:

### End of configuration x64,slow_path_opt

Hmm, at first glance it looks different. The repro is kinda similar (an overridden flags getter), but the bug seems to be in split this time. 

I'll investigate, lowering prio.

Spec: https://tc39.github.io/ecma262/#sec-regexp.prototype-@@split

This is a minor spec violation in which ToUint32(limit) ends up being called before the flags getter if the regexp transitions to slow mode during the ToUint32 call.

I suppose a reasonable fix is to avoid ToUint32 entirely on the fast path and bail to runtime if limit is not undefined or a positive smi.

Note that even after this the fast path won't be entirely spec-compliant, since it ignores a modified `RegExp.constructor` property.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/557e79ca19937c51aaee8dd9c03bb88ebf1e971e

commit 557e79ca19937c51aaee8dd9c03bb88ebf1e971e
Author: Jakob Gruber <jgruber@chromium.org>
Date: Fri Jan 12 13:00:39 2018

[regexp] Fix spec ordering issue in @@split

This fixes a spec bug in which the order of calls to 1) the flag getter
and 2) ToUint32(limit) was incorrect if ToUint32 pushes the regexp
instance onto the slow path. We are now more restrictive and completely
avoid ToUint32 on the fast path.

Bug:  chromium:801171 
Change-Id: I21d15fe566754d2bc05853f895636bb882fbf599
Reviewed-on: https://chromium-review.googlesource.com/863644
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50533}
[modify] https://crrev.com/557e79ca19937c51aaee8dd9c03bb88ebf1e971e/src/builtins/builtins-regexp-gen.cc
[add] https://crrev.com/557e79ca19937c51aaee8dd9c03bb88ebf1e971e/test/mjsunit/regress/regress-801171.js

ClusterFuzz has detected this issue as fixed in range 50532:50533.

Detailed report: https://clusterfuzz.com/testcase?key=4991221188788224

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path_opt
  sources: 0ba
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50381:50382
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50532:50533

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4991221188788224

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4991221188788224 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.