Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/760eed0525e9b571408120eb5d3e9c511f9065d6 (Reland "Add fast path for spreading primitive strings.").

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/779d102ca87bddd412d9a9d761d6e6b57e01a609

commit 779d102ca87bddd412d9a9d761d6e6b57e01a609
Author: Hai Dang <dhai@google.com>
Date: Thu Oct 18 08:44:21 2018

Use slow path in IterableToList for big input strings.

AllocateJSArray always allocates in new space, so we bailout of the fast
path for strings if the new array does not fit in new space.

Bug found by ClusterFuzz. Regression test added.

This also switches to the BranchIf pattern to avoid materialize a bool.

Bug:  chromium:895860 ,  v8:7980 
Change-Id: Ic7c41268c394ac2796b7694252390ab50fd74838
Reviewed-on: https://chromium-review.googlesource.com/c/1286337
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Commit-Queue: Hai Dang <dhai@google.com>
Cr-Commit-Position: refs/heads/master@{#56759}
[modify] https://crrev.com/779d102ca87bddd412d9a9d761d6e6b57e01a609/src/builtins/builtins-iterator-gen.cc
[modify] https://crrev.com/779d102ca87bddd412d9a9d761d6e6b57e01a609/src/builtins/builtins-string-gen.cc
[modify] https://crrev.com/779d102ca87bddd412d9a9d761d6e6b57e01a609/src/builtins/builtins-string-gen.h
[add] https://crrev.com/779d102ca87bddd412d9a9d761d6e6b57e01a609/test/mjsunit/es6/regress/regress-cr895860.js

ClusterFuzz has detected this issue as fixed in range 56758:56759.

Detailed report: https://clusterfuzz.com/testcase?key=5619757313949696

Fuzzer: ochang_js_fuzzer
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x557b3bd31ede
Crash State:
  __RT_impl_Runtime_AllocateInNewSpace
  v8::internal::Runtime_AllocateInNewSpace
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=56437:56438
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=56758:56759

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5619757313949696

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5619757313949696 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.