Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

I can reproduce locally. This bisects to 780818726ad1f3a53efa77d4b98fe592e9705c35, however even before that CL the site causes a CSA assert and crashes. But since the Array.prototype.filter affected the kind of crash it might still shed some light on what is going on here.

As discussed offline, we have the suspicion that this has to do with the species allocator returning an array with an unexpected elements kind. Here is a dump of the object that the heap verifier stumbled over:

0x233dca2dee79: [JSArray]
 - map: 0x3dfe50d01d51 <Map(HOLEY_SMI_ELEMENTS)> [FastProperties]
 - prototype: 0x06cee36973d9 <JSArray[0]>
 - elements: 0x233dca2def61 <FixedArray[17]> [HOLEY_SMI_ELEMENTS]
 - length: 4
 - properties: 0x1e5b69e80c19 <FixedArray[0]> {
    #length: 0x304e0f9001a1 <AccessorInfo> (const accessor descriptor)
 }
 - elements: 0x233dca2def61 <FixedArray[17]> {
           0: 0x097b68186e89 <String[14]: animatedFooter>
           1: 0x097b68186ee9 <String[12]: miniscroller>
           2: 0x097b68186f59 <String[20]: nativeDesktopSidebar>
           3: 0x097b68186f09 <String[19]: nativeMobileContent>
        4-16: 0x1e5b69e805a9 <the_hole>
 }

As mentioned in comment #3, it also reproduces with the revision right before porting Array.prototype.filter to Torque, but with a CSA assert. So this might just be a pre-existing bug that has been ported over to Torque. Her is the CSA assert with the revision before.

#
# Fatal error in ../../v8/src/compiler/code-assembler.cc, line 1922
# Type cast failed in CAST(b) at ../../v8/src/code-stub-assembler.h:365
  Expected Number but found 0x30f623440db1: [ArrayBoilerplateDescription] in OldSpace
 - map: 0x0f3ab6782869 <Map[24]>
 - elements kind: 2
 - constant elements: 0x1a67d1c06a11 <FixedArray[1]>
#
#

Michael agreed to take a look at this. Thanks!

Fix in flight.. https://chromium-review.googlesource.com/c/v8/v8/+/1405035

Re #7: Just checked, the fix in flight fixes the original repro. Awesome! Thanks!

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/72d8307f782550e59f4c0f20ec3ce8cc316f978f

commit 72d8307f782550e59f4c0f20ec3ce8cc316f978f
Author: Mike Stanton <mvstanton@chromium.org>
Date: Thu Jan 10 18:09:36 2019

[Builtins] Array.prototype.filter species creation error

If a species constructor is installed, filter() needs to loop over
the elements of the array in the "slow" way, because it doesn't
know the ElementsKind of the output array. The code failed to
bail out to the slow case for the loop right away on discovering this.

Bug:  chromium:920184 , chromium:920491
Change-Id: I74496db20a90807b631c1bebe7604d85b199df67
Reviewed-on: https://chromium-review.googlesource.com/c/1405035
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58713}
[modify] https://crrev.com/72d8307f782550e59f4c0f20ec3ce8cc316f978f/src/builtins/array-filter.tq
[add] https://crrev.com/72d8307f782550e59f4c0f20ec3ce8cc316f978f/test/mjsunit/regress/regress-crbug-920184.js

ClusterFuzz has detected this issue as fixed in range 621889:621890.

Detailed report: https://clusterfuzz.com/testcase?key=5097490751422464

Fuzzer: inferno_webbot
Job Type: linux_asan_chrome_mp
Platform Id: linux

Crash Type: Ill
Crash Address: 0x563e27abafd8
Crash State:
  v8::internal::JSObject::JSObjectVerify
  v8::internal::JSArray::JSArrayVerify
  v8::internal::HeapObject::HeapObjectVerify
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=621038:621039
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=621889:621890

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5097490751422464

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5097490751422464 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.