Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/4bf28a33ee83ae4b293209e681ab432a0cd11e9f ([array] Fix prototype chain interaction in sort pre-processing).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e38faab1c7df2d2c4a79378eea9d0e863d17c613

commit e38faab1c7df2d2c4a79378eea9d0e863d17c613
Author: Simon Zünd <szuend@chromium.org>
Date: Fri Jan 18 10:01:37 2019

[array] Remove CHECK_LE from RemoveArrayHolesGeneric

This CL removes a CHECK_LE that does not hold in all cases. After
moving all elements to the front, current_pos will point to the next
free spot. In the case where an object is 'packed', i.e. each index
has a non-undefined value, and the length is smaller then the max
index, current_pos will be greater than the length (limit in the code).

Sidenote: The block after taking the minimum (where the counted
undefineds get set) will not be affected. In the case where
num_undefined > 0, current_pos should be guaranteed to be smaller
than limit, as long there are no accessors with side-effects.

R=jgruber@chromium.org

Bug:  chromium:923265 
Change-Id: Id533cdc4db6c6c6f266cf7c6a8ab6ecbbeee7016
Reviewed-on: https://chromium-review.googlesource.com/c/1420679
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58912}
[modify] https://crrev.com/e38faab1c7df2d2c4a79378eea9d0e863d17c613/src/runtime/runtime-array.cc
[add] https://crrev.com/e38faab1c7df2d2c4a79378eea9d0e863d17c613/test/mjsunit/regress/regress-crbug-923265.js

ClusterFuzz has detected this issue as fixed in range 58911:58912.

Detailed report: https://clusterfuzz.com/testcase?key=6577844687863808

Fuzzer: decoder_langfuzz
Job Type: linux_ubsan_vptr_d8
Platform Id: linux

Crash Type: Ill
Crash Address: 0x555c200bc35e
Crash State:
  v8::internal::RemoveArrayHolesGeneric
  RemoveArrayHoles
  __RT_impl_Runtime_PrepareElementsForSort
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=58877:58878
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_d8&range=58911:58912

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6577844687863808

See https://github.com/google/clusterfuzz-tools for instructions to reproduce this bug locally.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6577844687863808 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.