The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c

commit 460bff5fb6af2bd79e610f89afdf6da9dba3cf0c
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Apr 07 15:34:07 2016

[compiler] Make feedback vector cope with flag changes.

This fixes corner cases where the layout of feedback vectors baked into
the snapshot is different from the expected layout, depending on some
runtime flags. We make sure the feedback vector is regenereated for
functions that are not compiled. Flag changes of this kind are only
allowed when code is not serialized.

An alternative solution would be to not serialize the feedback vector
for such cases in the first place. That solution however would have a
higher overhead, as it would required the serializer to be able to
recognize feedback vectors while generating a snapshot.

R=mvstanton@chromium.org
TEST=mjsunit/regress/regress-crbug-600995
BUG= chromium:600995 
LOG=n

Review URL: https://codereview.chromium.org/1869693003

Cr-Commit-Position: refs/heads/master@{#35339}

[modify] https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c/src/compiler.cc
[add] https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c/test/mjsunit/regress/regress-crbug-600995.js

ClusterFuzz has detected this issue as fixed in range 35338:35339.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5372898017017856

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !info->shared_info()->feedback_vector()->metadata()->SpecDiffersFrom( info->lite
  
Regressed: V8: r35264:35265
Fixed: V8: r35338:35339

Minimized Testcase (0.04 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95uscRedAON9xIw1noq0LXIazRvSyeYZLdjulB7FTjpoN1eDr4GHeDxo7ztmbTNxFJLiyHMUE0rdQGQL-rRUN4b-XJVqwudQ3TGq5WInHZBipMVWl6OXpJl__09dhV5OcK164GS1iduaMChqfqLNUrD9xOPfg
"use strict";
let classProperties = new Set();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 601614  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/78049e9c4837f053575d6c71e53ae12fec99f1aa

commit 78049e9c4837f053575d6c71e53ae12fec99f1aa
Author: hablich <hablich@chromium.org>
Date: Mon Apr 11 15:35:22 2016

Revert of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1869693003/ )

Reason for revert:
Blocks current roll: https://codereview.chromium.org/1876713002/ according to bisect: https://codereview.chromium.org/1872353002/#ps80001

Original issue's description:
> [compiler] Make feedback vector cope with flag changes.
>
> This fixes corner cases where the layout of feedback vectors baked into
> the snapshot is different from the expected layout, depending on some
> runtime flags. We make sure the feedback vector is regenereated for
> functions that are not compiled. Flag changes of this kind are only
> allowed when code is not serialized.
>
> An alternative solution would be to not serialize the feedback vector
> for such cases in the first place. That solution however would have a
> higher overhead, as it would required the serializer to be able to
> recognize feedback vectors while generating a snapshot.
>
> R=mvstanton@chromium.org
> TEST=mjsunit/regress/regress-crbug-600995
> BUG= chromium:600995 
> LOG=n
>
> Committed: https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c
> Cr-Commit-Position: refs/heads/master@{#35339}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org

BUG= chromium:600995 
LOG=N
NOTRY=true

Review URL: https://codereview.chromium.org/1876103002

Cr-Commit-Position: refs/heads/master@{#35392}

[modify] https://crrev.com/78049e9c4837f053575d6c71e53ae12fec99f1aa/src/compiler.cc
[delete] https://crrev.com/8ce0a943e3aa77a80b63a75fc0308402404abeaa/test/mjsunit/regress/regress-crbug-600995.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b88d048adf051059efb0ac22da191dba359e3fa4

commit b88d048adf051059efb0ac22da191dba359e3fa4
Author: hablich <hablich@chromium.org>
Date: Mon Apr 11 18:56:25 2016

Reland of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1876103002/ )

Reason for revert:
Did not fail on another roll including this CL ..

Original issue's description:
> Revert of [compiler] Make feedback vector cope with flag changes. (patchset #1 id:1 of https://codereview.chromium.org/1869693003/ )
>
> Reason for revert:
> Blocks current roll: https://codereview.chromium.org/1876713002/ according to bisect: https://codereview.chromium.org/1872353002/#ps80001
>
> Original issue's description:
> > [compiler] Make feedback vector cope with flag changes.
> >
> > This fixes corner cases where the layout of feedback vectors baked into
> > the snapshot is different from the expected layout, depending on some
> > runtime flags. We make sure the feedback vector is regenereated for
> > functions that are not compiled. Flag changes of this kind are only
> > allowed when code is not serialized.
> >
> > An alternative solution would be to not serialize the feedback vector
> > for such cases in the first place. That solution however would have a
> > higher overhead, as it would required the serializer to be able to
> > recognize feedback vectors while generating a snapshot.
> >
> > R=mvstanton@chromium.org
> > TEST=mjsunit/regress/regress-crbug-600995
> > BUG= chromium:600995 
> > LOG=n
> >
> > Committed: https://crrev.com/460bff5fb6af2bd79e610f89afdf6da9dba3cf0c
> > Cr-Commit-Position: refs/heads/master@{#35339}
>
> TBR=mvstanton@chromium.org,mstarzinger@chromium.org
>
> BUG= chromium:600995 
> LOG=N
> NOTRY=true
>
> Committed: https://crrev.com/78049e9c4837f053575d6c71e53ae12fec99f1aa
> Cr-Commit-Position: refs/heads/master@{#35392}

TBR=mvstanton@chromium.org,mstarzinger@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= chromium:600995 

Review URL: https://codereview.chromium.org/1876973002

Cr-Commit-Position: refs/heads/master@{#35398}

[modify] https://crrev.com/b88d048adf051059efb0ac22da191dba359e3fa4/src/compiler.cc
[add] https://crrev.com/b88d048adf051059efb0ac22da191dba359e3fa4/test/mjsunit/regress/regress-crbug-600995.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4993ca2d11383541c739321ecac63e746b4713f3

commit 4993ca2d11383541c739321ecac63e746b4713f3
Author: Adam Klein <adamk@chromium.org>
Date: Wed Apr 20 18:30:08 2016

Version 5.1.281.10 (cherry-pick)

Merged 460bff5fb6af2bd79e610f89afdf6da9dba3cf0c

[compiler] Make feedback vector cope with flag changes.

BUG= chromium:600995 ,chromium:601331
LOG=N
R=jkummerow@chromium.org

Review URL: https://codereview.chromium.org/1903293003 .

Cr-Commit-Position: refs/branch-heads/5.1@{#13}
Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1}
Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282}

[modify] https://crrev.com/4993ca2d11383541c739321ecac63e746b4713f3/include/v8-version.h
[modify] https://crrev.com/4993ca2d11383541c739321ecac63e746b4713f3/src/compiler.cc
[add] https://crrev.com/4993ca2d11383541c739321ecac63e746b4713f3/test/mjsunit/regress/regress-crbug-600995.js

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot