Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/9367f80f17237a031c1677e9d358cb1df4e6c01c ([builtins] Implement fast path of Object.assign using CSA.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Issue 852269 has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/412ec7539d8d8c509a041224cf0c3821f777517e

commit 412ec7539d8d8c509a041224cf0c3821f777517e
Author: Igor Sheludko <ishell@chromium.org>
Date: Mon Jun 18 14:37:38 2018

[builtins] Relax type check in a slow path of Object.assign.

Bug:  chromium:851393 
Change-Id: I53cbf16068efbf24a2bd233c0b4c56e8361f9931
Reviewed-on: https://chromium-review.googlesource.com/1104317
Reviewed-by: Toon Verwaest <verwaest@chromium.org>
Commit-Queue: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53798}
[modify] https://crrev.com/412ec7539d8d8c509a041224cf0c3821f777517e/src/runtime/runtime-object.cc
[add] https://crrev.com/412ec7539d8d8c509a041224cf0c3821f777517e/test/mjsunit/regress/regress-crbug-851393.js

Please verify this in Canary first. 

ClusterFuzz has detected this issue as fixed in range 53797:53798.

Detailed report: https://clusterfuzz.com/testcase?key=6301517804732416

Fuzzer: decoder_langfuzz
Job Type: linux_msan_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x56353c08fe33
Crash State:
  v8::internal::Runtime_SetDataProperties
  v8::internal::Simulator::DoRuntimeCall
  v8::internal::Simulator::Run
  
Sanitizer: memory (MSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=52609:52610
Fixed: https://clusterfuzz.com/revisions?job=linux_msan_d8&range=53797:53798

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6301517804732416

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6301517804732416 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M68 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), kariahda@(iOS), bhthompson@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approved

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/60e4cafc41168dd7eca23e09219fae0ef5cbf4c9

commit 60e4cafc41168dd7eca23e09219fae0ef5cbf4c9
Author: ishell@chromium.org <ishell@chromium.org>
Date: Tue Jun 26 11:19:37 2018

Merged: [builtins] Relax type check in a slow path of Object.assign.

Revision: 412ec7539d8d8c509a041224cf0c3821f777517e

BUG= chromium:851393 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=verwaest@chromium.org

Change-Id: I136b2ff943824c8d9bfd921e0ccf9ecf5d96efbd
Reviewed-on: https://chromium-review.googlesource.com/1114607
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Cr-Commit-Position: refs/branch-heads/6.8@{#31}
Cr-Branched-From: 44d7d7d6b1041b57644400a00cb3fee35f6c51b2-refs/heads/6.8.275@{#1}
Cr-Branched-From: 5754f66f75136dc17b4c63fec84f31dfdb89186e-refs/heads/master@{#53286}
[modify] https://crrev.com/60e4cafc41168dd7eca23e09219fae0ef5cbf4c9/src/runtime/runtime-object.cc
[add] https://crrev.com/60e4cafc41168dd7eca23e09219fae0ef5cbf4c9/test/mjsunit/regress/regress-crbug-851393.js