Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/0d4ed06cac780d71ce1bd6445351921a4fce7312 (Replace JS version of Array.of with a CSA version).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Simplest code to trigger: Array.of.apply(1, Array(63387))

In this case any non-constructor as the receiver triggers using AllocateJSArray. The second argument is an array of size 63387 so that's the number of arguments to Array.of, which means we attempt to allocate an array that's larger than kMaxRegularHeapObjectSize.

Fix should be to check the size that will be generated and do something else if it's too big.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/08b0ff26c5eeff90295bea3d921157b581bd9ed4

commit 08b0ff26c5eeff90295bea3d921157b581bd9ed4
Author: Dan Elphick <delphick@chromium.org>
Date: Fri Jan 19 16:11:18 2018

Fix Array.of crashing when called with lots of parameters

When the array created would exceed the maximum size for a regular heap
object, instead create it using Runtime::kNewArray directly rather than
via AllocateJSArray.

Bug:  chromium:803750 
Change-Id: I78cd82edf5a813a2ed69272361e0ca07f864c5ba
Reviewed-on: https://chromium-review.googlesource.com/876011
Commit-Queue: Dan Elphick <delphick@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50726}
[modify] https://crrev.com/08b0ff26c5eeff90295bea3d921157b581bd9ed4/src/builtins/builtins-array-gen.cc
[add] https://crrev.com/08b0ff26c5eeff90295bea3d921157b581bd9ed4/test/mjsunit/regress/regress-803750.js

ClusterFuzz has detected this issue as fixed in range 50725:50726.

Detailed report: https://clusterfuzz.com/testcase?key=6713497672220672

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  size <= kMaxRegularHeapObjectSize in runtime-internal.cc
  __RT_impl_Runtime_AllocateInNewSpace
  v8::internal::Runtime_AllocateInNewSpace
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=50679:50680
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=50725:50726

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6713497672220672

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6713497672220672 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot