Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/b158bfdc2f9b66de130b06e48f9e0cc25206c760 (Reland "[runtime] Remove the construct_stub field of the SFI").

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

// Simple repro:
class Base {
  constructor( x){
      return x;
  }
}
class Derived extends Base {
  constructor(use, x) {
    super(use, x);
  }
};
new Derived(true, 5)

// Ouput:
# Compared x64,ignition with x64,ignition_turbo_opt
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-num-compilation-tasks=0 --random-seed -1655104323 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,ignition_turbo_opt:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --wasm-num-compilation-tasks=0 --random-seed -1655104323 --always-opt --suppress-asm-messages
#
# Difference:
- repro.js:8: TypeError: Class constructors may only return object or undefined
#
### Start of configuration x64,ignition:
repro.js:8: TypeError: Class constructors may only return object or undefined
    super(use, x);
    ^



### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo_opt:

### End of configuration x64,ignition_turbo_opt

The bug is in src/compiler/js-typed-lowering.cc, we directly use JSConstructStubGenericUnrestrictedReturn instead of calling builtins()->JSConstructStubGeneric() which will switch on the necessary flag to get the right builtin. Fix on the way

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9160b83211c9f81146b9679ecabef8f76c349dbd

commit 9160b83211c9f81146b9679ecabef8f76c349dbd
Author: Peter Marshall <petermarshall@chromium.org>
Date: Mon Apr 09 09:29:07 2018

[runtime] Use the correct generic construct stub based on harmony flags

We hardcoded this accidentally in the original CL for the turbofan case,
instead we need to call JSConstructStubGeneric() which will return the
correct construct stub based on the harmony_restrict_constructor_return
flag.

Bug:  chromium:829899 
Change-Id: I6776a5daebd57d8881d926ad68595141312a877d
Reviewed-on: https://chromium-review.googlesource.com/1001893
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Peter Marshall <petermarshall@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52470}
[modify] https://crrev.com/9160b83211c9f81146b9679ecabef8f76c349dbd/src/compiler/js-typed-lowering.cc
[add] https://crrev.com/9160b83211c9f81146b9679ecabef8f76c349dbd/test/mjsunit/regress/regress-829889.js

ClusterFuzz has detected this issue as fixed in range 52469:52470.

Detailed report: https://clusterfuzz.com/testcase?key=6709795252600832

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: 53c
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52388:52389
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52469:52470

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6709795252600832

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6709795252600832 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.