Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/af677f29b1b7c0286b423c4e745303ed51de88e9 ([ic] EmitElementStore: don't miss when hitting new space limit.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

CL was reverted.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a50bc8ac8dc018f253a702bf742b9861111c0b3d

commit a50bc8ac8dc018f253a702bf742b9861111c0b3d
Author: Georg Neis <neis@chromium.org>
Date: Thu Feb 15 12:27:18 2018

Reland "[ic] EmitElementStore: don't miss when hitting new space limit."

This is a reland of af677f29b1b7c0286b423c4e745303ed51de88e9, fixing
an issue with negative indices.

Original change's description:
> [ic] EmitElementStore: don't miss when hitting new space limit.
>
> CSA::EmitElementStore used to bail out (IC miss) via
> CSA::CheckForCapacityGrow when the capacity hits the new space
> limit, causing the store IC to go megamorphic in my example (see
> referenced bug). With this CL, we do what TF'ed code does already:
> call into Runtime::kGrowArrayElements (in this situation), thus
> staying monomorphic.
>
> Here's a contrived test case:
>
> ////////////////////////
> let x = [];
>
> function bar() {
>   for (let i = 0; i < 50000; ++i) x[i] = i;
> }
>
> function foo() {
>   for (let i = x.length; i < 100e6; ++i) x[i] = i;
> }
>
> bar();
> foo();
> ////////////////////////
>
> This took about 4s on my machine, now it takes 3s.
>
> Bug:  v8:7447 
> Change-Id: I7f268fc55835f363d250613ce0357444a663051c
> Reviewed-on: https://chromium-review.googlesource.com/918723
> Commit-Queue: Georg Neis <neis@chromium.org>
> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#51297}

Bug:  v8:7447 ,  chromium:812451 
Change-Id: I345b5e5b2437c4f50e42bbd87947630f24cd95eb
Reviewed-on: https://chromium-review.googlesource.com/921201
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51311}
[modify] https://crrev.com/a50bc8ac8dc018f253a702bf742b9861111c0b3d/src/code-stub-assembler.cc
[modify] https://crrev.com/a50bc8ac8dc018f253a702bf742b9861111c0b3d/src/runtime/runtime-array.cc
[add] https://crrev.com/a50bc8ac8dc018f253a702bf742b9861111c0b3d/test/mjsunit/regress/regress-812451.js

ClusterFuzz testcase 6216512596344832 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

ClusterFuzz has detected this issue as fixed in range 51305:51306.

Detailed report: https://clusterfuzz.com/testcase?key=5431736524341248

Fuzzer: mbarbella_js_mutation
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x35db2f626fe8
Crash State:
  /build/eglibc-ripdx6/eglibc-NUMBER/string/../sysdeps/x86_64/multiarch/memcpy-sse
  MemCopy
  CopyWords<v8::internal::Object
  
Sanitizer: undefined (UBSAN)

Recommended Security Severity: Medium

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=51296:51297
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=51305:51306

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5431736524341248

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot