The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f1cc6e646f939ba177e50fd5b5137c486ee4fdac

commit f1cc6e646f939ba177e50fd5b5137c486ee4fdac
Author: verwaest <verwaest@chromium.org>
Date: Wed Apr 27 09:16:38 2016

Check the state of the current binary op IC before patching smi code

Between the miss and patching, we run user code. That may already patch the same code. IC refactoring broke this (again), so including a regression test this time around.

BUG= chromium:601392 
LOG=n

Review URL: https://codereview.chromium.org/1925583002

Cr-Commit-Position: refs/heads/master@{#35811}

[modify] https://crrev.com/f1cc6e646f939ba177e50fd5b5137c486ee4fdac/src/ic/ic.cc
[add] https://crrev.com/f1cc6e646f939ba177e50fd5b5137c486ee4fdac/test/mjsunit/regress/regress-recurse-patch-binary-op.js

ClusterFuzz has detected this issue as fixed in range 35810:35811.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6233205601992704

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (check == ENABLE_INLINED_SMI_CHECK) ? (*jmp_address == Assembler::kJncShortOpcod
  
Regressed: V8: r35296:35297
Fixed: V8: r35810:35811

Minimized Testcase (6.19 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95QdcdkuyvtghRKHn4pgvHb_H145VgdDZOd6cN6bJ2_ALkXHzE3PfLxhl097htKJI0jHOE59QzZCsvFxiCsBHlsunP9dFmHNQXJu1wOc8uuzCWx8d3L8jraYq_oMpt4eqrUnQOC1aSwI4zTDBaMmC4hrv8AfA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot