Automatically adding ccs based on suspected regression changelists:

[builtins] Re-enable Map and WeakMap constructor fast path. by peter.wm.wong@gmail.com - https://chromium.googlesource.com/v8/v8/+/c1b89d9f37f085cfcb616b426efb9bc9d0ea2d44

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

I don't have a chromium email, could someone post the reproduction case? I can start looking at this today.

Repro:
__PrettyPrint = function __PrettyPrint() {
  switch (typeof value) {
    case "string":
;

  }
}
;
(function __f_0() {
  Object.defineProperty(Array.prototype, Symbol.iterator, {
    value: function*
        () {
        },
  });
})();
try {
} catch(e) {; }
print("v8-foozzie source: /v8/test/mjsunit/es6/collections-constructor-iterator-side-effect.js");
function __f_5() {
}
function __f_6(ctor) {
  const entries = [[], []];
  const arrayIteratorProto = Object.getPrototypeOf(entries[Symbol.iterator]());
  arrayIteratorProto.next = function() {
  };
  const set = new ctor(entries);
}
__f_6(WeakMap);
let checks = {
arr:[{}]
    ,
  multipleSmiReceiversPackedUnpacked:
    { mkTrainingArguments : () => { let b = [1]; b[100] = 3; return [{arr:[1]}, {}] }    },
  multipleDoubleReceiversPackedUnpacked:
    { mkTrainingArguments : () => { let b = [0.1]; b.x=0.3; return [{arr:[1], el:0.3}, {arr:[{}]}, {}] }    },
  multipleMixedReceiversPackedUnpacked:
    { mkTrainingArguments : () => { let b = [0.1]; b[100] = 0.3; return [{arr:[1]}, {arr:[{}]}, {}] }    }};

Output:
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -361604592 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,slow_path:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -361604592 --force-slow-path --suppress-asm-messages
#
# Difference:
- /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-08036.js:26: TypeError: Invalid value used as weak map key
+ /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-08036.js:26: TypeError: Iterator result undefined is not an object
#
# Source file:
/v8/test/mjsunit/es6/collections-constructor-iterator-side-effect.js
#
### Start of configuration x64,ignition:
v8-foozzie source: /v8/test/mjsunit/es6/collections-constructor-iterator-side-effect.js
/mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-08036.js:26: TypeError: Invalid value used as weak map key
const set = new ctor(entries);
^
### End of configuration x64,ignition
#
### Start of configuration x64,slow_path:
v8-foozzie source: /v8/test/mjsunit/es6/collections-constructor-iterator-side-effect.js
/mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzz-08036.js:26: TypeError: Iterator result undefined is not an object
const set = new ctor(entries);
^
### End of configuration x64,slow_path

Guess this is a dupe of  issue 804176 ?

Certainly looks like it. Peter, please feel free to close / merge as appropriate.

Oops, marked as duplicate by accident.

 Issue 805545  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/55efb6cc5dd0ae28b9cc41da31fe86069487c113

commit 55efb6cc5dd0ae28b9cc41da31fe86069487c113
Author: peterwmwong <peter.wm.wong@gmail.com>
Date: Thu Jan 25 11:11:29 2018

[builtins] Fix Collection constructor when entries have custom iteration.

- Introduce new helper IsFastJSArrayWithNoCustomIteration.
  - Consolidates all entry array checks...
    - Is a fast array (defers to BranchIfFastJSArray)
    - No possibility that the Array's iteration protocol has been tampered with
- Introduce new BoolT constant helpers Int32TrueConstant and Int32FalseConstant.

Bug:  chromium:804176 ,  chromium:804188 
Change-Id: I6b08396484682dc680b431ea564a7a28eeab8108
Reviewed-on: https://chromium-review.googlesource.com/883065
Commit-Queue: Peter Wong <peter.wm.wong@gmail.com>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50867}
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/bootstrapper.cc
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/builtins/builtins-collections-gen.cc
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/code-stub-assembler.cc
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/code-stub-assembler.h
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/compiler/code-assembler.h
[modify] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/src/contexts.h
[add] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/test/mjsunit/es6/collections-constructor-custom-iterator.js
[add] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/test/mjsunit/es6/collections-constructor-with-modified-array-prototype.js
[add] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/test/mjsunit/regress/regress-804176.js
[add] https://crrev.com/55efb6cc5dd0ae28b9cc41da31fe86069487c113/test/mjsunit/regress/regress-804188.js

ClusterFuzz has detected this issue as fixed in range 50866:50867.

Detailed report: https://clusterfuzz.com/testcase?key=5110442736484352

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path
  sources: c58
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50728:50729
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50866:50867

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5110442736484352

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

I believe we can close this out. Not sure if there's some automation that normally closes out these issues...