Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/f2695702906e2889e09fc3e0f0af255fa4ef6496 ([cleanup] Drop spread.js for good.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/631629ad54e2444d7a880616ad9b513a01c45d88

commit 631629ad54e2444d7a880616ad9b513a01c45d88
Author: Benedikt Meurer <bmeurer@chromium.org>
Date: Tue Mar 13 07:23:57 2018

[es2015] Properly deal with fast-path results from IterableToList.

The IterableToList helper builtin can return the input JSArray unchanged
if the fast-path detection decides that it doesn't need to iterate the
elements, which means we can also get a JSArray with an elements kind
that is not PACKED_ELEMENTS as a result of IterableToList.

Bug:  chromium:821159 ,  v8:7310 
Change-Id: I93a886e6b7f1e1a58dd05affa46fea7501cc5a81
Reviewed-on: https://chromium-review.googlesource.com/959323
Reviewed-by: Yang Guo <yangguo@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51893}
[modify] https://crrev.com/631629ad54e2444d7a880616ad9b513a01c45d88/src/builtins/builtins-call-gen.cc
[add] https://crrev.com/631629ad54e2444d7a880616ad9b513a01c45d88/test/mjsunit/regress/regress-crbug-821159-1.js
[add] https://crrev.com/631629ad54e2444d7a880616ad9b513a01c45d88/test/mjsunit/regress/regress-crbug-821159-2.js
[add] https://crrev.com/631629ad54e2444d7a880616ad9b513a01c45d88/test/mjsunit/regress/regress-crbug-821159-3.js
[add] https://crrev.com/631629ad54e2444d7a880616ad9b513a01c45d88/test/mjsunit/regress/regress-crbug-821159-4.js

ClusterFuzz has detected this issue as fixed in range 51892:51893.

Detailed report: https://clusterfuzz.com/testcase?key=5025093332500480

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:ia32,ignition
  sources: faa
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=51870:51871
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=51892:51893

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5025093332500480

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5025093332500480 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.