It looks like TF wrote arguments object as a normal object to the translation and runtime rejects deoptimizer's attempt to materialize such an object.

Escape analysis could also be involved here.

The is very likely escape analysis. I'll take it.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3cc2adb3195afe8f6eb671664bd65828eb68adb1

commit 3cc2adb3195afe8f6eb671664bd65828eb68adb1
Author: mstarzinger <mstarzinger@chromium.org>
Date: Mon May 23 13:50:52 2016

[deoptimizer] Fix materialization of sloppy arguments.

This makes sure the deoptimizer can materialize sloppy arguments objects
with the FAST_SLOPPY_ARGUMENTS_ELEMENTS elements kind. TurboFan's escape
analysis treates those as normal JSObject types and hence materializes
them differently than Crankshaft does.

R=verwaest@chromium.org
TEST=mjsunit/regress/regress-crbug-613919
BUG= chromium:613919 

Review-Url: https://codereview.chromium.org/2001133002
Cr-Commit-Position: refs/heads/master@{#36440}

[modify] https://crrev.com/3cc2adb3195afe8f6eb671664bd65828eb68adb1/src/deoptimizer.cc
[add] https://crrev.com/3cc2adb3195afe8f6eb671664bd65828eb68adb1/test/mjsunit/regress/regress-crbug-613919.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/addfd00a20f4b9ddabf7e71d51aa524431ec0090

commit addfd00a20f4b9ddabf7e71d51aa524431ec0090
Author: mstarzinger <mstarzinger@chromium.org>
Date: Fri May 27 12:37:17 2016

[runtime] Allow generic allocation of sloppy arguments.

This allows sloppy arguments objects to be allocated by the generic
Heap::AllocateJSObjectFromMap allocation function. An empty elements
backing store for such objects is provided. This is needed in order to
materialize such objects without access to a specific native context.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-613919
BUG= chromium:613919 

Review-Url: https://codereview.chromium.org/2014343004
Cr-Commit-Position: refs/heads/master@{#36547}

[modify] https://crrev.com/addfd00a20f4b9ddabf7e71d51aa524431ec0090/src/deoptimizer.cc
[modify] https://crrev.com/addfd00a20f4b9ddabf7e71d51aa524431ec0090/src/heap/heap.cc
[modify] https://crrev.com/addfd00a20f4b9ddabf7e71d51aa524431ec0090/src/heap/heap.h
[modify] https://crrev.com/addfd00a20f4b9ddabf7e71d51aa524431ec0090/src/objects-inl.h
[modify] https://crrev.com/addfd00a20f4b9ddabf7e71d51aa524431ec0090/src/objects.h

ClusterFuzz has detected this issue as fixed in range 36546:36547.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5624015700099072

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: Unreachable code
Crash Address: 
Crash State:
  src/objects-inl.h
  
Regressed: V8: r34208:34209
Fixed: V8: r36546:36547

Minimized Testcase (0.23 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96coTuAWIhCsOw7WHuvyIefcj9l4XCAIOWG084tOeh5ZbG1M_fLhoKHeGJSy223prd3J4eT7MXvBZUI6uu3EWCNf1zpl_ZFFzyioca_rqn7Bnp8CnsNwgB-Wud4F5uYDLxH7FzZo1gb5J3UD18zNdUqka-MLw
var __v_3 = {};
var __v_4 = {};
function __f_1() {
    __v_4 = __f_3(true, __v_3);
}
 __f_1();
%OptimizeFunctionOnNextCall(__f_1);
 __f_1();
function __f_3(a,b,c) { if (!a) return arguments;
                            return [b[2]]; }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot