Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/9ed348e65ffaab83ca8bc81bb2e27540f9c51a02 ([turbofan] Serialize descriptor arrays.).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

In ReduceJSArray, we call AsElementsKind on the initial_map twice:

initial_map = initial_map.AsElementsKind(...)
initial_map = initial_map.AsElementsKind(...) 

The trouble is that the serializer assumes we only call AsElementsKind on initial maps, but after the first call, we might not have an initial map.

One way to fix this would be to compute the proper elements kind first, and then only call AsElementsKind once. Another way would be to serialize AsElementsKinds for all AsElementsKind targets, too.  

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/56b6b6a8fa8e06b729c6e2e9a12524d9c95d85a5

commit 56b6b6a8fa8e06b729c6e2e9a12524d9c95d85a5
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Mon Oct 01 08:44:23 2018

[turbofan] Make sure we use only serialized elements kind transitions.

Currently, we call the MapRef::AsElementsKind method on an initial
map multiple times (from JSCreateLowering::ReduceJSCreateArray).
However, this does not does not play well with the heap copier/broker,
which only expectes AsElementsKind to be called on initial maps.

This CL makes sure we only call AsElementsKind once (on the initial map).

Bug:  chromium:890620 
Change-Id: If44421d3900abb7629ea8f789a005b8d8ebaf881
Reviewed-on: https://chromium-review.googlesource.com/1253105
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#56307}
[modify] https://crrev.com/56b6b6a8fa8e06b729c6e2e9a12524d9c95d85a5/src/compiler/js-create-lowering.cc
[modify] https://crrev.com/56b6b6a8fa8e06b729c6e2e9a12524d9c95d85a5/src/compiler/js-create-lowering.h
[add] https://crrev.com/56b6b6a8fa8e06b729c6e2e9a12524d9c95d85a5/test/mjsunit/compiler/regress-890620.js

ClusterFuzz has detected this issue as fixed in range 56306:56307.

Detailed report: https://clusterfuzz.com/testcase?key=5165122463727616

Fuzzer: ochang_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x557d701da39e
Crash State:
  v8::internal::compiler::MapRef::AsElementsKind
  v8::internal::compiler::JSCreateLowering::ReduceJSCreateArray
  v8::internal::compiler::GraphReducer::Reduce
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=55755:55756
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=56306:56307

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5165122463727616

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5165122463727616 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.