Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically adding ccs based on suspected regression changelists:

[builtins] Re-enable Set and WeakSet constructor fast path. by peter.wm.wong@gmail.com - https://chromium.googlesource.com/v8/v8/+/9c5053bf4d2f2ebc4973f51ff46a0b93b95d154d

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label.

-> hpayer@ to triage and reassign

Peter, PTAL. Repro:

(function () {
    switch (typeof value) {
    }
  assertEquals = function assertEquals() {
  };
})();
var helpers = function helpers() {
  return {
    getDummyObject: function getDummyObject() {
    }
  };
}();
var assert = function assert() {
  return {
    areEqual: function areEqual() {
    },
    doesNotThrow: function doesNotThrow(testFunction) {
        testFunction()
    }
  };
}();
let __v_12507 = assertEquals.bind();
function __f_3330() {
    __v_12543 = new Set([])
}
  Object.defineProperty(Set.prototype, "add", {
    get: function () {
      return (
        __v_12507
      );
    }
  });
  assert.doesNotThrow(__f_3330);

Peter, fyi I ended up doing a quick fix myself. In-flight at https://crrev.com/c/883121

No backmerges necessary, this only affects cast type-checks.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c0a6e85153f148f051b6e3d90de8a3f1bf59fc69

commit c0a6e85153f148f051b6e3d90de8a3f1bf59fc69
Author: jgruber <jgruber@chromium.org>
Date: Wed Jan 24 09:49:14 2018

[builtins] Allow bound function / proxy `add` in collection ctors

Bug:  chromium:804801 
Change-Id: I2d54e98df09b0ed5ccfcddd0815ad162641e03d6
Reviewed-on: https://chromium-review.googlesource.com/883121
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Peter Marshall <petermarshall@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50827}
[modify] https://crrev.com/c0a6e85153f148f051b6e3d90de8a3f1bf59fc69/src/builtins/builtins-collections-gen.cc
[add] https://crrev.com/c0a6e85153f148f051b6e3d90de8a3f1bf59fc69/test/mjsunit/regress/regress-804801.js

ClusterFuzz has detected this issue as fixed in range 50826:50827.

Detailed report: https://clusterfuzz.com/testcase?key=6214676143931392

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Type cast failed in CAST(add_func) at ../../src/builtins/builtins-collections-ge
  v8::internal::CheckObjectType
  Call
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50690:50691
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50826:50827

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6214676143931392

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6214676143931392 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot