Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/81a3742a889db5db034b8345683cef49e95095ee ([typedarray] Port TypedArray.from to CSA.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ec5c342798c6e88506614db5401f2a1eec771c93

commit ec5c342798c6e88506614db5401f2a1eec771c93
Author: Peter Marshall <petermarshall@chromium.org>
Date: Mon Feb 26 13:42:23 2018

[typedarray] Fix failing DCHECK for TA.from with a length getter.

I loosened the DCHECKs here but I think they are still fundamentally
safe: `length` must be <= the actual length of the source (so that
there are actually enough elements to copy), and `length` must also be
<= the destination length, minus the offset (so there is enough space
to copy the elements into).

Bug:  chromium:816317 
Change-Id: Ice00ac60f4884363f6065ffee71f6ab1d1b32dbc
Reviewed-on: https://chromium-review.googlesource.com/937209
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51566}
[modify] https://crrev.com/ec5c342798c6e88506614db5401f2a1eec771c93/src/elements.cc
[add] https://crrev.com/ec5c342798c6e88506614db5401f2a1eec771c93/test/mjsunit/regress/regress-816317.js

ClusterFuzz has detected this issue as fixed in range 51565:51566.

Detailed report: https://clusterfuzz.com/testcase?key=6464453944803328

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  source->length_value() <= destination->length_value() - offset in elements.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=51376:51377
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=51565:51566

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6464453944803328

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6464453944803328 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot