Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/eeb583d8b89f954efd94ab884b4207187e5b9cc7 ([array] Move Array.p.fill to C++).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Check if this fix needs to be back-merged into 6.9.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b87e7623248fda8dd06c4d6350bd00a57f04b7fe

commit b87e7623248fda8dd06c4d6350bd00a57f04b7fe
Author: Simon Zünd <szuend@google.com>
Date: Thu Jul 19 12:15:42 2018

[array] Only use fast-path in Array.p.fill for JSArrays

This CL changes Array.p.fill to use the baseline implementation
for everything other than JSArray.

One of the reasons is that shadowing the length property on
TypedArrays (and other ElementsKinds) is allowed and should be
respected by Array.p.fill. The fast-path for fill for TypedArrays
expects the indices to be clamped to the actual length of the
underlying backing store and not to some length property.

While this mismatch (and others) could probably be handled properly,
we do the conservative thing and only use the fast-path for specific
JSArrays.

R=jgruber@chromium.org

Bug:  chromium:865312 
Change-Id: Ib3050e3bfc22d47ca8597b6df34788dc2b59b6e1
Reviewed-on: https://chromium-review.googlesource.com/1142772
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#54558}
[modify] https://crrev.com/b87e7623248fda8dd06c4d6350bd00a57f04b7fe/src/builtins/builtins-array.cc
[modify] https://crrev.com/b87e7623248fda8dd06c4d6350bd00a57f04b7fe/src/elements.cc
[add] https://crrev.com/b87e7623248fda8dd06c4d6350bd00a57f04b7fe/test/mjsunit/regress/regress-crbug-865312.js

ClusterFuzz has detected this issue as fixed in range 54557:54558.

Detailed report: https://clusterfuzz.com/testcase?key=6021191413006336

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  end <= array->length_value() in elements.cc
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54521:54522
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=54557:54558

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6021191413006336

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6021191413006336 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The NextAction date has arrived: 2018-07-25

Back-merging the fix is not needed since the original CL is not in 69:
https://chromiumdash.appspot.com/commit/eeb583d8b89f954efd94ab884b4207187e5b9cc7

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot