Minimal repro case:

Object.defineProperty(Boolean.prototype, "v", {get:constructor});
function foo(b) { return b.v; }
foo(true);
foo(true);
foo(true);

The culprit is that the IC system doesn't use the Call builtin for getters, so we need to fix that too.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6df9a22c3f8d6640e867ca659c95e22289b00b40

commit 6df9a22c3f8d6640e867ca659c95e22289b00b40
Author: bmeurer <bmeurer@chromium.org>
Date: Fri Apr 01 06:37:39 2016

[ic] Use the CallFunction builtin to invoke accessors.

The HandlerCompiler did not properly handle the weird edge case when a
sloppy mode function was installed as an accessor on one of the value
wrapper prototypes and then accessed via a load from a primitive value.
In this case we just passed the primitive value untouched instead of
properly wrapping it first. The CallFunction builtin properly deals with
all the funny edge cases, so we use it instead of duplicating almost all
of the logic here (the performance difference is neglible).

R=verwaest@chromium.org
BUG= chromium:599073 ,  v8:4413 
LOG=n

Review URL: https://codereview.chromium.org/1845243005

Cr-Commit-Position: refs/heads/master@{#35187}

[modify] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/src/ic/arm/handler-compiler-arm.cc
[modify] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/src/ic/arm64/handler-compiler-arm64.cc
[modify] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/src/ic/ia32/handler-compiler-ia32.cc
[modify] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/src/ic/mips/handler-compiler-mips.cc
[modify] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/src/ic/mips64/handler-compiler-mips64.cc
[modify] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/src/ic/x64/handler-compiler-x64.cc
[add] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/test/mjsunit/regress/regress-crbug-599073-1.js
[add] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/test/mjsunit/regress/regress-crbug-599073-2.js
[add] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/test/mjsunit/regress/regress-crbug-599073-3.js
[add] https://crrev.com/6df9a22c3f8d6640e867ca659c95e22289b00b40/test/mjsunit/regress/regress-crbug-599073-4.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2799cd15307e476a43354a89efa1fb752f14dd6a

commit 2799cd15307e476a43354a89efa1fb752f14dd6a
Author: mbrandy <mbrandy@us.ibm.com>
Date: Fri Apr 01 18:20:49 2016

PPC: [ic] Use the CallFunction builtin to invoke accessors.

Port 6df9a22c3f8d6640e867ca659c95e22289b00b40

Original commit message:
    The HandlerCompiler did not properly handle the weird edge case when a
    sloppy mode function was installed as an accessor on one of the value
    wrapper prototypes and then accessed via a load from a primitive value.
    In this case we just passed the primitive value untouched instead of
    properly wrapping it first. The CallFunction builtin properly deals with
    all the funny edge cases, so we use it instead of duplicating almost all
    of the logic here (the performance difference is neglible).

R=bmeurer@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com
BUG= chromium:599073 ,  v8:4413 
LOG=n

Review URL: https://codereview.chromium.org/1846953006

Cr-Commit-Position: refs/heads/master@{#35214}

[modify] https://crrev.com/2799cd15307e476a43354a89efa1fb752f14dd6a/src/ic/ppc/handler-compiler-ppc.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6c38fde94e3f0996854be741f369a16aa65e871a

commit 6c38fde94e3f0996854be741f369a16aa65e871a
Author: jyan <jyan@ca.ibm.com>
Date: Fri Apr 01 19:31:11 2016

S390: [ic] Use the CallFunction builtin to invoke accessors.

port 6df9a22c3f8d6640e867ca659c95e22289b00b40

Original Commit Message:
    The HandlerCompiler did not properly handle the weird edge case when a
    sloppy mode function was installed as an accessor on one of the value
    wrapper prototypes and then accessed via a load from a primitive value.
    In this case we just passed the primitive value untouched instead of
    properly wrapping it first. The CallFunction builtin properly deals with
    all the funny edge cases, so we use it instead of duplicating almost all
    of the logic here (the performance difference is neglible).

R=verwaest@chromium.org, bmeurer@chromium.org, joransiu@ca.ibm.com, mbrandy@us.ibm.com, michael_dawson@ca.ibm.com
BUG= chromium:599073 ,  v8:4413 
LOG=n

Review URL: https://codereview.chromium.org/1849233003

Cr-Commit-Position: refs/heads/master@{#35217}

[modify] https://crrev.com/6c38fde94e3f0996854be741f369a16aa65e871a/src/ic/s390/handler-compiler-s390.cc

ClusterFuzz has detected this issue as fixed in range 35186:35187.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5697596017868800

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args.receiver()->IsJSReceiver() in src/builtins.cc
  
Regressed: V8: r33257:33258
Fixed: V8: r35186:35187

Minimized Testcase (8.38 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95yAi0sI7-lIkpDcy_b_pHhweyQcAlFgaOy8cxvXBMJmpCvG7O-YMVgoXlKAQ1abGZOClEztjhgk1FPMnnnSB7rA0EjczXxVfYxjsumCSaasGEqnb_8udgwlEO1VyFhskIEdfjuAG9OuU391uLfxcbfehPkXw

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot