Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/317fad950e8743656f78175253646365d2512096 ([ic] Support negative indices for typed array OOB accesses.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

FYI: The minimization seems to not have worked. This times out for me with the minimized version. But repros correctly with the original.

Ran minimizer manually and tweaked it a bit. Repro:

var v1 = "";
v2 = new Int32Array(2);

function foo(base) {
  v2[base - 91] = 1;
}

foo(v1);
%OptimizeFunctionOnNextCall(foo);
foo(v2);
print(v2);


// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 704438003 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,ignition_turbo:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 704438003 --suppress-asm-messages --stress-compaction-random
#
# Difference:
- 0,0
+ 1,0
#
# Source file:
none
#
### Start of configuration x64,ignition:
0,0

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
1,0

### End of configuration x64,ignition_turbo

 Issue 819741  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e583fc836b877fc8829dbfc45d96ab7c4171da05

commit e583fc836b877fc8829dbfc45d96ab7c4171da05
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Thu Mar 08 12:38:29 2018

[turbofan] Fix invalid SpeculativeToNumber optimization.

When optimizing SpeculativeToNumber we need to pay attention to the
hint, otherwise we optimize away a Signed32 conversion, based on the
fact that the input is a Number.

Bug:  chromium:819298 
Change-Id: I2ac7b0dac708fee9083eca2880bd5674a82daaa3
Reviewed-on: https://chromium-review.googlesource.com/955423
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51805}
[modify] https://crrev.com/e583fc836b877fc8829dbfc45d96ab7c4171da05/src/compiler/typed-optimization.cc
[add] https://crrev.com/e583fc836b877fc8829dbfc45d96ab7c4171da05/test/mjsunit/regress/regress-crbug-819298.js

 Issue 820123  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 51804:51805.

Detailed report: https://clusterfuzz.com/testcase?key=4994385994055680

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: da1
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=51221:51222
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=51804:51805

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4994385994055680

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5605553800478720 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/1a77a9f418f43ee6ee0a7b84dd6f2b6c4acc07ac

commit 1a77a9f418f43ee6ee0a7b84dd6f2b6c4acc07ac
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Tue Mar 13 17:56:50 2018

[turbofan] Teach the LoopVariableOptimizer about ToNumber.

Bug:  chromium:819298 , chromium:820729
Change-Id: I3a1bccfe889ca409085396e2e1c4ae991093d0ea
Reviewed-on: https://chromium-review.googlesource.com/960321
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51910}
[modify] https://crrev.com/1a77a9f418f43ee6ee0a7b84dd6f2b6c4acc07ac/src/compiler/loop-variable-optimizer.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c54d93d6d0a18b1d4334ec3b4d641eaa29392d43

commit c54d93d6d0a18b1d4334ec3b4d641eaa29392d43
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Wed Mar 14 13:13:13 2018

[turbofan] Fix inconsistent treatment of SpeculativeToNumber.

This is a partial revert of e583fc836b877fc8829dbfc45d96ab7c4171da05.
The reasoning here is that the treatment of SpeculativeToNumber[hint]
was not consistent (which led to the original bug that caused the
performance regression): The semantics of the operator is that it turns
its input into a number, and might bailout if the input is too complex
to accomplish that within optimized code. It can use the hint to handle
even fewer cases without the risk of a deoptimization loop. However it
cannot rely on the hint influencing the output, especially not before
SimplifiedLowering ran. The code for the OOB element access however
relied on the hint being enforced, which caused the original bug.

This CL repairs that and instead uses CheckSmi for the OOB element
access guard.

Also-By: tebbi@chromium.org
Bug:  chromium:819298 , chromium:820729
Change-Id: I9b2170ccf9b5561d698c0108e93e538cac1e708c
Reviewed-on: https://chromium-review.googlesource.com/961066
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51924}
[modify] https://crrev.com/c54d93d6d0a18b1d4334ec3b4d641eaa29392d43/src/compiler/js-native-context-specialization.cc
[modify] https://crrev.com/c54d93d6d0a18b1d4334ec3b4d641eaa29392d43/src/compiler/typed-optimization.cc