Regression range points to 9fa206e1f4a36280672a4fb144cd7f78484b3c11.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/3e0be8d7fca5b28bcb18ae413be6392325d0b54c

commit 3e0be8d7fca5b28bcb18ae413be6392325d0b54c
Author: ishell <ishell@chromium.org>
Date: Tue Jun 07 09:46:55 2016

[runtime] Don't use ElementsTransitionAndStoreStub for transitions that involve instance rewriting.

BUG= chromium:617524 ,  v8:5009 
LOG=Y

Review-Url: https://codereview.chromium.org/2044003003
Cr-Commit-Position: refs/heads/master@{#36780}

[modify] https://crrev.com/3e0be8d7fca5b28bcb18ae413be6392325d0b54c/src/objects.cc
[modify] https://crrev.com/3e0be8d7fca5b28bcb18ae413be6392325d0b54c/src/objects.h
[add] https://crrev.com/3e0be8d7fca5b28bcb18ae413be6392325d0b54c/test/mjsunit/regress/regress-crbug-617524.js

 Issue 617653  has been merged into this issue.

ClusterFuzz has detected this issue as fixed in range 36779:36780.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6004108712738816

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  value->IsMutableHeapNumber() in objects-debug.cc
  
Regressed: V8: r36651:36652
Fixed: V8: r36779:36780

Minimized Testcase (0.19 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96RLhTVsfQARw0PbgHcvcmmbSnrFfH8oIsnmMTF36ZfUVR06QB8xu_csRbTyMZuRLxmRcacolrsELTOvtS-748lgId6C2RQpFhsfC_aoUa3QK_e5f-dJiOdf1uW33wSg7b67ByWg_Gp6Ywq1w42RFXaZWSzRQ
var __v_1 = {};
  function __f_4(a,b,c) {
      a[-6] = b;
      a[1] = c;
  }
  __f_4(new Array(),.5,0);
  __f_4(new Array(5),0,.5);
  gc();
  __f_4(new Array(5),0,0);
  __f_4(new Array(5),0);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/59fb9420ec7d3f717768a9c8862e968d09bce9c2

commit 59fb9420ec7d3f717768a9c8862e968d09bce9c2
Author: ishell@chromium.org <ishell@chromium.org>
Date: Mon Jun 13 11:04:36 2016

Version 5.2.361.22 (cherry-pick)

Merged 9fa206e1f4a36280672a4fb144cd7f78484b3c11
Merged 3e0be8d7fca5b28bcb18ae413be6392325d0b54c

[runtime] Ensure that all elements kind transitions are chained to the root map.

[runtime] Don't use ElementsTransitionAndStoreStub for transitions that involve instance rewriting.

BUG= chromium:617524 , v8:5009 , v8:5009 
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/2062783002 .

Cr-Commit-Position: refs/branch-heads/5.2@{#28}
Cr-Branched-From: 2cd36d6d0439ddfbe84cd90e112dced85084ec95-refs/heads/5.2.361@{#1}
Cr-Branched-From: 3fef34e02388e07d46067c516320f1ff12304c8e-refs/heads/master@{#36332}

[modify] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/include/v8-version.h
[modify] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/src/compiler/access-info.cc
[modify] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/src/crankshaft/hydrogen.cc
[modify] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/src/ic/ic-compiler.cc
[modify] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/src/ic/ic.cc
[modify] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/src/objects-inl.h
[modify] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/src/objects.cc
[modify] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/src/objects.h
[modify] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/test/cctest/test-field-type-tracking.cc
[add] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/test/mjsunit/regress/regress-crbug-617524.js
[add] https://crrev.com/59fb9420ec7d3f717768a9c8862e968d09bce9c2/test/mjsunit/regress/regress-v8-5009.js

 Issue 618310  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4bee1881649035014e9f45922eef7a9e76d72475

commit 4bee1881649035014e9f45922eef7a9e76d72475
Author: ishell@chromium.org <ishell@chromium.org>
Date: Wed Jun 22 09:25:46 2016

Version 5.1.281.68 (cherry-pick)

Merged 9fa206e1f4a36280672a4fb144cd7f78484b3c11
Merged 3e0be8d7fca5b28bcb18ae413be6392325d0b54c

[runtime] Ensure that all elements kind transitions are chained to the root map.

[runtime] Don't use ElementsTransitionAndStoreStub for transitions that involve instance rewriting.

BUG= chromium:617524 , v8:5009 , v8:5009 
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/2086483005 .

Cr-Commit-Position: refs/branch-heads/5.1@{#80}
Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1}
Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282}

[modify] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/src/compiler/access-info.cc
[modify] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/src/crankshaft/hydrogen.cc
[modify] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/src/ic/ic-compiler.cc
[modify] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/src/ic/ic.cc
[modify] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/src/objects-inl.h
[modify] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/src/objects.cc
[modify] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/src/objects.h
[modify] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/test/cctest/test-field-type-tracking.cc
[add] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/test/mjsunit/regress/regress-crbug-617524.js
[add] https://crrev.com/4bee1881649035014e9f45922eef7a9e76d72475/test/mjsunit/regress/regress-v8-5009.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/45a71919836046560ba8eb349eaf9172857ffe6f

commit 45a71919836046560ba8eb349eaf9172857ffe6f
Author: ishell@chromium.org <ishell@chromium.org>
Date: Wed Jun 22 11:20:01 2016

Version 5.0.71.54 (cherry-pick)

Merged 9fa206e1f4a36280672a4fb144cd7f78484b3c11
Merged 3e0be8d7fca5b28bcb18ae413be6392325d0b54c

[runtime] Ensure that all elements kind transitions are chained to the root map.

[runtime] Don't use ElementsTransitionAndStoreStub for transitions that involve instance rewriting.

BUG= chromium:617524 , v8:5009 , v8:5009 
LOG=N
R=verwaest@chromium.org

Review URL: https://codereview.chromium.org/2083323002 .

Cr-Commit-Position: refs/branch-heads/5.0@{#65}
Cr-Branched-From: ad16e6c2cbd2c6b0f2e8ff944ac245561c682ac2-refs/heads/5.0.71@{#1}
Cr-Branched-From: bd9df50d75125ee2ad37b3d92c8f50f0a8b5f030-refs/heads/master@{#34215}

[modify] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/include/v8-version.h
[modify] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/src/compiler/access-info.cc
[modify] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/src/crankshaft/hydrogen.cc
[modify] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/src/ic/ic-compiler.cc
[modify] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/src/ic/ic.cc
[modify] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/src/objects-inl.h
[modify] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/src/objects.cc
[modify] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/src/objects.h
[modify] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/test/cctest/test-field-type-tracking.cc
[add] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/test/mjsunit/regress/regress-crbug-617524.js
[add] https://crrev.com/45a71919836046560ba8eb349eaf9172857ffe6f/test/mjsunit/regress/regress-v8-5009.js

No further backports needed for Node.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot