Issue 607872  has been merged into this issue.

 Issue 607873  has been merged into this issue.

My mistake, fix is on the way.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5749d710bc73ef40f9b9e8b94ec290e0412d3f57

commit 5749d710bc73ef40f9b9e8b94ec290e0412d3f57
Author: mstarzinger <mstarzinger@chromium.org>
Date: Fri Apr 29 12:04:18 2016

[compiler] Fix TurboFan to respect kOptimizeFromBytecode.

This ensures that the TurboFan pipeline is respecting the flag on the
CompilationInfo controlling whether to use the BytecodeGraphBuilder or
the AstGraphBuilder when ensuring deoptimization support.

R=rmcilroy@chromium.org
BUG= chromium:607871 
LOG=n

Review-Url: https://codereview.chromium.org/1934563002
Cr-Commit-Position: refs/heads/master@{#35904}

[modify] https://crrev.com/5749d710bc73ef40f9b9e8b94ec290e0412d3f57/src/compiler/pipeline.cc
[modify] https://crrev.com/5749d710bc73ef40f9b9e8b94ec290e0412d3f57/test/mjsunit/mjsunit.status

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5410896091807744

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000097dd3bd4
Crash State:
  v8::internal::StackFrameIterator::StackFrameIterator
  v8::internal::Isolate::PrintStack
  v8::internal::Isolate::StackTraceString
  
Recommended Security Severity: Medium

Regressed: V8: r35891:35892

Minimized Testcase (0.22 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97pxg-xi0oGvtA60IVD2cnFKQGTTcbgGpds4PpDnRqRK6Af6dNqnxIHbwTk6Ys7ippxtSR1wPXK-yfEt5YrSeVnY7SzxiMdljSbfgRb1zVU8PWszjA7VnG1-qHAKVJFUPP46pLKe5rp0Zem4HZfGzUfTbKd5g
 { function t() { try { t(); } catch(e) {; } }; try {; } catch(e) {} }
  %OptimizeFunctionOnNextCall(__f_17);
try {
} catch(e) {; }
function __f_12() {
}
function __f_17(a,b,c,d) { return [a, ...(nop()[c])]; }
[], __f_17();


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6059900781723648

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in src/objects
  
Regressed: V8: r35891:35892

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95GiUzgGbMaZmNiz5EqE7TZRfi5-m3_6C37hjwVIZ1jY9vzr3zVxGQ4Lz8Bh82wZBtwkfGhuMGgiroRRlBMOt2AtEyYnRuWt0iEkxPMYyAgtxgRVssvKGM0vYI7u_QNSI0V7OBW1d32YDZlAGTZa1Qq2fD33w
try {
var __v_45 = __v_44();
} catch(e) {; }
function __f_44(flags) {
  var __v_46 = new RegExp(__v_45, flags);
}
__f_44("__v_44");


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4698771052560384

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in src/objec
  
Regressed: V8: r35891:35892

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95sDSBS7zWKTdc1xxA_50xKuGMcZwLpeRUb5fiZuF8e-j3Zz2PLFCzbS0YzMN-ZSyGhEMofST0O2onPzHc-0nL-DjMc02o8-2-QgcUpbzZYDEqCumQuOMM8AQU7Zbd9tOyC5lBKg_AV_vvXpkFlhwG83wfDkQ
var __v_7 = {};
try {
class MyPromise extends Promise {
  constructor(...args) {
    __v_7 = args;
  }
}
__v_8 = MyPromise.resolve();
} catch(e) {; }


Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 35903:35904.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5365604084613120

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  AllowHeapAllocation::IsAllowed() in src/heap/heap-inl.h
  
Regressed: V8: r35891:35892
Fixed: V8: r35903:35904

Minimized Testcase (6.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96EXQ0tMTZSB6VT-REM9JgIWvZHc0uFHldCV4OUjG2b66aR8BsXGEwUDQbQD4PPrXyn1RCQJN1v6185P0FviZj_Fnut1f3cO8g_Ci3uvqd1wnPstAGkJvi29IyHibjA2VmE4gs91nkI6gNgeLwOsaqlrS_5aA

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This is fixed. Sorry for the noise on ClusterFuzz.

ClusterFuzz has detected this issue as fixed in range 35903:35904.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6059900781723648

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSObject()) in src/objects
  
Regressed: V8: r35891:35892
Fixed: V8: r35903:35904

Minimized Testcase (0.13 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95GiUzgGbMaZmNiz5EqE7TZRfi5-m3_6C37hjwVIZ1jY9vzr3zVxGQ4Lz8Bh82wZBtwkfGhuMGgiroRRlBMOt2AtEyYnRuWt0iEkxPMYyAgtxgRVssvKGM0vYI7u_QNSI0V7OBW1d32YDZlAGTZa1Qq2fD33w
try {
var __v_45 = __v_44();
} catch(e) {; }
function __f_44(flags) {
  var __v_46 = new RegExp(__v_45, flags);
}
__f_44("__v_44");


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 35903:35904.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5410896091807744

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000097dd3bd4
Crash State:
  v8::internal::StackFrameIterator::StackFrameIterator
  v8::internal::Isolate::PrintStack
  v8::internal::Isolate::StackTraceString
  
Recommended Security Severity: Medium

Regressed: V8: r35891:35892
Fixed: V8: r35903:35904

Minimized Testcase (0.22 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97pxg-xi0oGvtA60IVD2cnFKQGTTcbgGpds4PpDnRqRK6Af6dNqnxIHbwTk6Ys7ippxtSR1wPXK-yfEt5YrSeVnY7SzxiMdljSbfgRb1zVU8PWszjA7VnG1-qHAKVJFUPP46pLKe5rp0Zem4HZfGzUfTbKd5g
 { function t() { try { t(); } catch(e) {; } }; try {; } catch(e) {} }
  %OptimizeFunctionOnNextCall(__f_17);
try {
} catch(e) {; }
function __f_12() {
}
function __f_17(a,b,c,d) { return [a, ...(nop()[c])]; }
[], __f_17();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 35903:35904.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4698771052560384

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  !v8::internal::FLAG_enable_slow_asserts || (object->IsJSFunction()) in src/objec
  
Regressed: V8: r35891:35892
Fixed: V8: r35903:35904

Minimized Testcase (0.15 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95sDSBS7zWKTdc1xxA_50xKuGMcZwLpeRUb5fiZuF8e-j3Zz2PLFCzbS0YzMN-ZSyGhEMofST0O2onPzHc-0nL-DjMc02o8-2-QgcUpbzZYDEqCumQuOMM8AQU7Zbd9tOyC5lBKg_AV_vvXpkFlhwG83wfDkQ
var __v_7 = {};
try {
class MyPromise extends Promise {
  constructor(...args) {
    __v_7 = args;
  }
}
__v_8 = MyPromise.resolve();
} catch(e) {; }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot