Regression range points to this CL: https://codereview.chromium.org/1989833002

Cause by cycles in the virtual object graph. Caused by escape analysis. Here is a different repro exposing the same issue. This is a fundamental problem and I need to dwell over it for a while.

function f() {
  var o1 = { a:99, val:23 };
  var o2 = { b:o1, val:42 };
  o1.a = o2;
  %DeoptimizeNow();
  return o1.a.val + o2.b.val;
}

f();
f();
%OptimizeFunctionOnNextCall(f);
f();

 Issue 613931  has been merged into this issue.

 Issue 615268  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4799063195385856

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #NUMBER:Load in B0 is not dominated by input@1 #NUMBER:Int32Constant in src
  
Regressed: V8: r33217:33218

Minimized Testcase (3.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ZfyGsfqEGXkd_t6bIxZYL13RksZB8Ig6hzdXx1wlDErRlroLds7GmSogrI4fcr9NzXmRDK64sNNIzbKgVXW7rJVFny2-HMiEuvOFygvwNbBAqbrImXLzCt8j0EFMLDcUQkKUO8EUEo9uFIkwYDTXpYx1Q8Q

Filer: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 36637:36638.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4799063195385856

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #NUMBER:Load in B0 is not dominated by input@1 #NUMBER:Int32Constant in src
  
Regressed: V8: r33217:33218
Fixed: V8: r36637:36638

Minimized Testcase (3.51 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94ZfyGsfqEGXkd_t6bIxZYL13RksZB8Ig6hzdXx1wlDErRlroLds7GmSogrI4fcr9NzXmRDK64sNNIzbKgVXW7rJVFny2-HMiEuvOFygvwNbBAqbrImXLzCt8j0EFMLDcUQkKUO8EUEo9uFIkwYDTXpYx1Q8Q

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Marking 'Fixed' as per c#6.

Thank you!

Reopening. Not fixed. But lowering priority.

 Issue 622658  has been merged into this issue.

 Issue 629729  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5366781093085184

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #816:Call in B6 is not dominated by input@5 #3:HeapConstant in verifier.cc
  
Regressed: V8: r38650:38651

Minimized Testcase (3.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Qrj9JBPoo6phvZFoGMWaK2YsEz6yiS1L_HSNKxrvRqPuP05NykrsP3rHLgxbiR6iL68m7jR7OwKj602mmTA5nKZ7Dn_M1A8HaEixXEj12xZoirFvs5vgSqgW4dnYAoSQ9FPFt1Unp859x6KQl0ulaPf8VBQ?testcase_id=5366781093085184

Issue manually filed by: mstarzinger

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 39044:39045.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5366781093085184

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #816:Call in B6 is not dominated by input@5 #3:HeapConstant in verifier.cc
  
Regressed: V8: r38650:38651
Fixed: V8: r39044:39045

Minimized Testcase (3.03 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96Qrj9JBPoo6phvZFoGMWaK2YsEz6yiS1L_HSNKxrvRqPuP05NykrsP3rHLgxbiR6iL68m7jR7OwKj602mmTA5nKZ7Dn_M1A8HaEixXEj12xZoirFvs5vgSqgW4dnYAoSQ9FPFt1Unp859x6KQl0ulaPf8VBQ?testcase_id=5366781093085184

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5543111860420608

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #12:TypedStateValues in B0 is not dominated by input@7 #11:TypedStateValues
  
Regressed: V8: r36638:36639

Minimized Testcase (0.50 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96ieMzKAVhYTV7XmBGYYHcfh-ztwKT0pwb3k8Hb7j5qRua7rwH1izU21eSTe5c-U5uo11S-KXmKlpqcrlZckKYQ1XxWh5n3vFpiLTEjPmutMx9M_jdVIuAWG2kbpEaWC_uMebZK7Ff7pFMJJ69QPLnVvsD23g?testcase_id=5543111860420608
try {
__v_14 = "Rebellious subjects, enemies to peace,\n\
Once more, on pain of death, all men depart.\n"
let events = 0;
} catch(e) {; }
try {
async function __f_20() {
}
async function __f_21() {
}
async function __f_22() {
  await __f_21();
}
} catch(e) {; }
for (let producer of nonthrows) {
}
for (let producer of uncatchable) {
  for (let consumer of catches.concat()) {
  }
}
for (let producer of throws) {
  for (let consumer of lateCatches) {
  }
}
for (let { __f_20} of cases) {
}
  var __v_36 = 3;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5352173552795648

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #NUMBER:Call in B6 is not dominated by input@2 #3:HeapConstant in verifier.
  
Regressed: V8: r38650:38651

Minimized Testcase (3.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94mdF9qsnSAY8VFc4Sz4sJJyqYB69TaiTNHFKAXL4-XoKhM0udyHE1xwhiKXbfe17purEeWCI3aZ1M8m0YDRshj3k0svMyUM5QnIiLQo2DP3QYRjc6wWjuccO24dM62wvplZ0CZ0Q_FVjMJX7t0Yb_hp_ZvJQ?testcase_id=5352173552795648

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5332963598532608

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #20:TypedStateValues in B0 is not dominated by input@0 #18:FinishRegion in 
  

Unminimized Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95cBMSpPD9cLUek2AZAPdiesmvntqMCyn36QU1E5_hz8NUUsT_-q_-qUKgInb4eKCb3XlyGHLOKfW8tpMW19IXjcYRcDDsQ02qg5ZZ9XbkvSgnG8eqlazvZ9BdN4BLC8EpOoqJjZfm1iy-LUgh1_wqUd_Au0g?testcase_id=5332963598532608


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/59a38a9ac813768e734a0bc54473c0d287151ad9

commit 59a38a9ac813768e734a0bc54473c0d287151ad9
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Sep 22 07:50:02 2016

[turbofan] Add early detection of object state cycles.

This makes sure cycles in the object states graph are detected early by
escape analysis instead of late in the scheduler. This is mainly done
for improved debuggability.

R=bmeurer@chromium.org
BUG= chromium:613923 

Review-Url: https://codereview.chromium.org/2354263002
Cr-Commit-Position: refs/heads/master@{#39614}

[modify] https://crrev.com/59a38a9ac813768e734a0bc54473c0d287151ad9/src/compiler/escape-analysis-reducer.cc
[modify] https://crrev.com/59a38a9ac813768e734a0bc54473c0d287151ad9/src/compiler/escape-analysis.cc
[modify] https://crrev.com/59a38a9ac813768e734a0bc54473c0d287151ad9/src/compiler/escape-analysis.h
[modify] https://crrev.com/59a38a9ac813768e734a0bc54473c0d287151ad9/test/unittests/compiler/escape-analysis-unittest.cc

ClusterFuzz has detected this issue as fixed in range 39613:39614.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5543111860420608

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #12:TypedStateValues in B0 is not dominated by input@7 #11:TypedStateValues
  
Regressed: V8: r36638:36639
Fixed: V8: r39613:39614

Minimized Testcase (0.50 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96ieMzKAVhYTV7XmBGYYHcfh-ztwKT0pwb3k8Hb7j5qRua7rwH1izU21eSTe5c-U5uo11S-KXmKlpqcrlZckKYQ1XxWh5n3vFpiLTEjPmutMx9M_jdVIuAWG2kbpEaWC_uMebZK7Ff7pFMJJ69QPLnVvsD23g?testcase_id=5543111860420608
try {
__v_14 = "Rebellious subjects, enemies to peace,\n\
Once more, on pain of death, all men depart.\n"
let events = 0;
} catch(e) {; }
try {
async function __f_20() {
}
async function __f_21() {
}
async function __f_22() {
  await __f_21();
}
} catch(e) {; }
for (let producer of nonthrows) {
}
for (let producer of uncatchable) {
  for (let consumer of catches.concat()) {
  }
}
for (let producer of throws) {
  for (let consumer of lateCatches) {
  }
}
for (let { __f_20} of cases) {
}
  var __v_36 = 3;


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 39613:39614.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5332963598532608

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #20:TypedStateValues in B0 is not dominated by input@0 #18:FinishRegion in 
  
Regressed: V8: r36435:36436
Fixed: V8: r39613:39614

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96S7-eUneAHOo6Q-kSCQ2dymdXZSDtu3wWt-xJ15ZPWH-1XA99j3t2hiPInMasZaUx18ldnMnw6eUjjzUIzQcthjDtHghKZzSzKmzEqGY6X2EkwG3DkG5kaQyUsDj7ySyb8ZUQTq_3ydmfabK0uKfmNR__VFw?testcase_id=5332963598532608
function __f_8() {
  function __f_4() {
    var __v_3 = 23;
    function __f_3() {
      function __f_6() {
        eval(load);
      }
      __f_6();
    }
    __f_3();
  }
  __f_4();
}
__f_8();
__f_8();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 39613:39614.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5352173552795648

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #NUMBER:Call in B6 is not dominated by input@2 #3:HeapConstant in verifier.
  
Regressed: V8: r38650:38651
Fixed: V8: r39613:39614

Minimized Testcase (3.42 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94mdF9qsnSAY8VFc4Sz4sJJyqYB69TaiTNHFKAXL4-XoKhM0udyHE1xwhiKXbfe17purEeWCI3aZ1M8m0YDRshj3k0svMyUM5QnIiLQo2DP3QYRjc6wWjuccO24dM62wvplZ0CZ0Q_FVjMJX7t0Yb_hp_ZvJQ?testcase_id=5352173552795648

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 648354  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.