Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/06ee127b75726f9ee541aab10f6aecfe4d96675a ([es2015] Refactor the JSArrayIterator.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6196dd051f5c2f338d012a2319950e763d5e39e7

commit 6196dd051f5c2f338d012a2319950e763d5e39e7
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Tue Mar 06 09:09:11 2018

[turbofan] Only store after all checks are done.

The optimized code for %ArrayIteratorPrototype%.next for holey arrays
was wrong, since it would first store the [[NextIndex]] and then check
whether it hit a hole. However in that case TurboFan doesn't have any
point to deoptimize to, so we need to perform the side-effecting stores
only after all checks are done.

Bug:  v8:7510 ,  v8:7514 ,  chromium:819086 
Change-Id: I0214c7124833286113e4dc7403ddc20a82fa8da3
Reviewed-on: https://chromium-review.googlesource.com/950723
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51753}
[modify] https://crrev.com/6196dd051f5c2f338d012a2319950e763d5e39e7/src/compiler/js-call-reducer.cc
[add] https://crrev.com/6196dd051f5c2f338d012a2319950e763d5e39e7/test/mjsunit/regress/regress-crbug-819086.js

ClusterFuzz has detected this issue as fixed in range 51752:51753.

Detailed report: https://clusterfuzz.com/testcase?key=5863722472701952

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node::New() Error: #392:DeoptimizeIf[1] is nullptr in node.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=51724:51725
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=51752:51753

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5863722472701952

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5863722472701952 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot