Assigning to V8 CF sheriff.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b9540d447f8d10e28f97096e0760bca6db3205de

commit b9540d447f8d10e28f97096e0760bca6db3205de
Author: Simon Zünd <szuend@google.com>
Date: Thu Aug 30 13:34:25 2018

[array] Fix side-effect for 'from' argument in Array.p.lastIndexOf

This CL fixes a bug if the second argument ('from') for lastIndexOf
changes the array when its converted to an integer.

R=jgruber@chromium.org

Bug:  chromium:878845 
Change-Id: I8759dd19381c63f0dde1d4c5abc1b6c7291c6048
Reviewed-on: https://chromium-review.googlesource.com/1196507
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@google.com>
Cr-Commit-Position: refs/heads/master@{#55525}
[modify] https://crrev.com/b9540d447f8d10e28f97096e0760bca6db3205de/src/builtins/array-lastindexof.tq
[add] https://crrev.com/b9540d447f8d10e28f97096e0760bca6db3205de/test/mjsunit/regress/regress-crbug-878845.js

ClusterFuzz has detected this issue as fixed in range 55524:55525.

Detailed report: https://clusterfuzz.com/testcase?key=6405163611586560

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Type cast failed in CAST(p_o) at ../../src/code-stub-assembler.h:351 in code-ass
  v8::internal::CheckObjectType
  libv8.so
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55450:55451
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=55524:55525

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6405163611586560

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6405163611586560 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug requires manual review: M70 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: benmason@(Android), kariahda@(iOS), geohsu@(ChromeOS), abdulsyed@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Does this need to be merged to M70?

No, the CL that introduced the bug (https://http://crrev.com/c/1190345) was landed after the branch point.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot