Most likely related to shipping try-finally.

This is a bug in some interaction of for-in/OSR/try-catch. Minimized repro:

function g() {
  for (var x in [0]) {
    try {
      while (true);
    } catch(e) {
      continue;
    }
  }
}
g();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a5c6676b136457266e8e10bf3f7df30a5184aa3b

commit a5c6676b136457266e8e10bf3f7df30a5184aa3b
Author: jarin <jarin@chromium.org>
Date: Thu Apr 28 18:58:55 2016

Unship try-catch and try-finally optimizations in Turbofan.

Try catch interacts badly with OSR and for-in.

BUG= chromium:607493 
LOG=n

Review-Url: https://codereview.chromium.org/1931973002
Cr-Commit-Position: refs/heads/master@{#35877}

[modify] https://crrev.com/a5c6676b136457266e8e10bf3f7df30a5184aa3b/src/ast/ast-numbering.cc

ClusterFuzz has detected this issue as fixed in range 35876:35877.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5217433819807744

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Unreachable code
Crash Address: 
Crash State:
  src/compiler/verifier.cc
  
Regressed: V8: r35803:35804
Fixed: V8: r35876:35877

Minimized Testcase (6.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96ih4d27qmqtkWA9rW76cRL30LjuNbYHRucSoGvl2qdSpamadVzWtre1YEEiTkgQG5mL6RE5xjM4eeQRbACPN_-HptsJNauLq8zp1QI5WcecdqZPDjOYCaCkFBApOSyjPaIcSh2WYZGP_MUrrOhBjWJPkp7tQ

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Jaro found the underlying problem with this issue. Jaro, you are my hero! Thanks!

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2da181b08b66e127bba204fe4293c81e4f73ee3a

commit 2da181b08b66e127bba204fe4293c81e4f73ee3a
Author: jarin <jarin@chromium.org>
Date: Tue May 03 13:40:12 2016

[turbofan] Fix OSR environment in for-in.

BUG= chromium:607493 
LOG=n

Review-Url: https://codereview.chromium.org/1949433002
Cr-Commit-Position: refs/heads/master@{#35982}

[modify] https://crrev.com/2da181b08b66e127bba204fe4293c81e4f73ee3a/src/compiler/ast-graph-builder.cc
[add] https://crrev.com/2da181b08b66e127bba204fe4293c81e4f73ee3a/test/mjsunit/compiler/regress-607493.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/caf460b2882e44b95abffb08945891ca1ba6cb53

commit caf460b2882e44b95abffb08945891ca1ba6cb53
Author: jarin <jarin@chromium.org>
Date: Tue May 03 14:05:07 2016

[turbofan] Better test for for-in/continue OSR problem.

The problem is actually not related to try-catch, so here is a test
without try-catch.

BUG= chromium:607493 
LOG=n

Review-Url: https://codereview.chromium.org/1943883002
Cr-Commit-Position: refs/heads/master@{#35985}

[modify] https://crrev.com/caf460b2882e44b95abffb08945891ca1ba6cb53/test/mjsunit/compiler/regress-607493.js

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot