Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/90e50cc2ccd0bf858403d635cf0c264de2d60ea6 ([turbofan] Add effects to StringAt operators).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

 Issue 805890  has been merged into this issue.
 Issue 805915  has been merged into this issue.
 Issue 806041  has been merged into this issue.
 Issue 806081  has been merged into this issue.
 Issue 806086  has been merged into this issue.
 Issue 806141  has been merged into this issue.
 Issue 806150  has been merged into this issue.
 Issue 806171  has been merged into this issue.
 Issue 806180  has been merged into this issue.
 Issue 806183  has been merged into this issue.

Thanks for merging, looking into it now!

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/35bce874d4dc837c655f65afe4351ea46fcae487

commit 35bce874d4dc837c655f65afe4351ea46fcae487
Author: Sigurd Schneider <sigurds@chromium.org>
Date: Fri Jan 26 11:12:08 2018

[turbofan] Fix encoding issue in string iteration

This fixes %StringIteratorPrototype%.next to not mixup
UTF16 and UTF32, and consistently use UTF32 for now.

Bug:  chromium:805855 
Change-Id: If58e2fe0d9bebd894e12abf8af82881c74388294
Reviewed-on: https://chromium-review.googlesource.com/888741
Commit-Queue: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50886}
[modify] https://crrev.com/35bce874d4dc837c655f65afe4351ea46fcae487/src/compiler/js-builtin-reducer.cc
[add] https://crrev.com/35bce874d4dc837c655f65afe4351ea46fcae487/test/mjsunit/regress/string-next-encoding.js

 Issue 806223  has been merged into this issue.

 Issue 806224  has been merged into this issue.

 Issue 806256  has been merged into this issue.

ClusterFuzz testcase 5183955868057600 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 50885:50886.

Detailed report: https://clusterfuzz.com/testcase?key=5730633264136192

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 219
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50831:50832
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50885:50886

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5730633264136192

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.