Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/36bb2e000b6bb0da590d3853c94454618d93bd1c ([csa] type and separate {Load,Store}{Fixed,Property}ArrayElement).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

This is not a security bug: The failed check is a harmless false positive.

That is: the empty FixedArray is not considered a FixedDoubleArray, although that is indistinguishable.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5b74a7ee634630105743deed43b20b93921b4688

commit 5b74a7ee634630105743deed43b20b93921b4688
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Aug 09 10:00:25 2018

[csa] avoid FixedDoubleArray CAST on empty FixedArray

Bug:  chromium:871886 
Change-Id: I91c6099ebaa064575db1ee3d7354e02cd42bbfd2
Reviewed-on: https://chromium-review.googlesource.com/1166906
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55010}
[modify] https://crrev.com/5b74a7ee634630105743deed43b20b93921b4688/src/code-stub-assembler.cc
[add] https://crrev.com/5b74a7ee634630105743deed43b20b93921b4688/test/mjsunit/regress/regress-crbug-871886.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/60d1277f66d73c79e5098ee54439902a91152719

commit 60d1277f66d73c79e5098ee54439902a91152719
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Aug 09 10:36:53 2018

[csa] CSA type checks: allow the empty FixedArray to be CAST() to FixedDoubleArray

This should allow to re-land https://crrev.com/c/1039190

Bug:  chromium:871886 

Change-Id: If815537410b3fa09902026dc26205421f5c36ae5
Reviewed-on: https://chromium-review.googlesource.com/1169019
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55015}
[modify] https://crrev.com/60d1277f66d73c79e5098ee54439902a91152719/src/compiler/code-assembler.cc

ClusterFuzz has detected this issue as fixed in range 55009:55010.

Detailed report: https://clusterfuzz.com/testcase?key=4991384915017728

Fuzzer: ochang_js_fuzzer
Job Type: linux_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Type cast failed in CAST(LoadElements(object)) at ../../src/code-stub-assembler.
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=54945:54946
Fixed: https://clusterfuzz.com/revisions?job=linux_d8_dbg&range=55009:55010

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4991384915017728

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 4991384915017728 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/96ae2856bf40630f64d6ec0f427446e2046a5256

commit 96ae2856bf40630f64d6ec0f427446e2046a5256
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Fri Aug 10 11:46:26 2018

Revert "[csa] CSA type checks: allow the empty FixedArray to be CAST() to FixedDoubleArray"

This reverts commit 60d1277f66d73c79e5098ee54439902a91152719.

Reason for revert:  This is not sound as long as cast<FixedDoubleArray>() doesn't do the same.

Original change's description:
> [csa] CSA type checks: allow the empty FixedArray to be CAST() to FixedDoubleArray
> 
> This should allow to re-land https://crrev.com/c/1039190
> 
> Bug:  chromium:871886 
> 
> Change-Id: If815537410b3fa09902026dc26205421f5c36ae5
> Reviewed-on: https://chromium-review.googlesource.com/1169019
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#55015}

TBR=jarin@chromium.org,tebbi@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  chromium:871886 
Change-Id: Ib81f3a069776f9e1aa01d16b9d4979de7c56fcde
Reviewed-on: https://chromium-review.googlesource.com/1170742
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#55043}
[modify] https://crrev.com/96ae2856bf40630f64d6ec0f427446e2046a5256/src/compiler/code-assembler.cc