Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/b6f7ea580595f98b89fc47c50f9ccfbbd3b9c448 ([runtime] use new CloneObject bytecode for some ObjectLiteralSpread cases).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

Adding some labels. This seems like it would affect all V8 platforms.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The fix for this and other related CF failures is out for review at https://chromium-review.googlesource.com/c/v8/v8/+/1146297

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d6efcbf02280155af632b47d51a13bbd2a10b6b0

commit d6efcbf02280155af632b47d51a13bbd2a10b6b0
Author: Caitlin Potter <caitp@igalia.com>
Date: Wed Jul 25 21:23:05 2018

[runtime] fix ClusterFuzz regressions (and remaining nits) in CloneObject

Includes fixes for several ClusterFuzz regressions:

1) fix an invalid Handle-cast in ic.cc (chromium:866282)

2) fix for improper accounting of used/unused inobject
fields, found by clusterfuzz (chromium:866357).

3) fix number of control outputs for the JSCloneObject
operator to be used by IfSuccess and IfException nodes (chromium:866727).

4) fix property constness in out-of-object properties of fast-cloned
object to be compatible with DCHECKs in StoreIC (chromium:866861).

Also includes the fixups missing from the initial commit, and
regression tests

BUG=v8:7611,  chromium:866282 ,  chromium:866357 ,  chromium:866727 ,  chromium:866861 
R=jkummerow@chromium.org, mvstanton@chromium.org
TBR=rmcilroy@chromium.org

Change-Id: I77220308482f16db2893c0dcebec36530d0f5540
Reviewed-on: https://chromium-review.googlesource.com/1146297
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#54706}
[modify] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/src/compiler/js-operator.cc
[modify] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/src/ic/ic.cc
[modify] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/src/interpreter/bytecode-generator.cc
[modify] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/src/objects.cc
[modify] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/src/objects/map-inl.h
[modify] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/src/objects/map.h
[add] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/test/mjsunit/es9/regress/regress-866282.js
[add] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/test/mjsunit/es9/regress/regress-866357.js
[add] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/test/mjsunit/es9/regress/regress-866727.js
[add] https://crrev.com/d6efcbf02280155af632b47d51a13bbd2a10b6b0/test/mjsunit/es9/regress/regress-866861.js

ClusterFuzz has detected this issue as fixed in range 54705:54706.

Detailed report: https://clusterfuzz.com/testcase?key=5349126364200960

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  UnusedPropertyFields() == map->UnusedPropertyFields() in map-inl.h
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=54594:54595
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_v8_arm64_dbg&range=54705:54706

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5349126364200960

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5349126364200960 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot