Issue 621811  has been merged into this issue.

TurboFan generates computed property initialization of an object literal in a way that does not expect that the Runtime::kDefineDataPropertyInLiteral can lazy deopt.

Smaller repro:

out/x64.debug/d8 --predictable --turbo --always-opt test.js

===== test.js =====
var o = {};
function f() {
  o.a = 1;
}
function g() {
  var o1 = { ['a']: function(){} };
  f();
}
f();
f();
g();

I can repro. Thanks for the reduced test case. Working on a fix.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4af80298b66f6dc0abd7fbab93f377755388d065

commit 4af80298b66f6dc0abd7fbab93f377755388d065
Author: mstarzinger <mstarzinger@chromium.org>
Date: Mon Jun 27 13:54:54 2016

[turbofan] Fix missing lazy deopt in object literals.

This adds a missing lazy bailout point when defining data properties
with computed property names in object literals. The runtime call to
Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary
bailout ID already exists and is now properly used.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-621816
BUG= chromium:621816 

Review-Url: https://codereview.chromium.org/2099133003
Cr-Commit-Position: refs/heads/master@{#37294}

[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/compiler/ast-graph-builder.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/compiler/linkage.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/arm/full-codegen-arm.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/arm64/full-codegen-arm64.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/ia32/full-codegen-ia32.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/mips/full-codegen-mips.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/mips64/full-codegen-mips64.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/ppc/full-codegen-ppc.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/s390/full-codegen-s390.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/x64/full-codegen-x64.cc
[modify] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/src/full-codegen/x87/full-codegen-x87.cc
[add] https://crrev.com/4af80298b66f6dc0abd7fbab93f377755388d065/test/mjsunit/regress/regress-crbug-621816.js

ClusterFuzz has detected this issue as fixed in range 37293:37294.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6600304003121152

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  safe_to_deopt_topmost_optimized_code in deoptimizer.cc
  
Fixed: V8: r37293:37294

Minimized Testcase (0.20 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv9639hhgDk7cclFOB8sU04qgejpOcy01SuCfMPBxDNNJTCNNGThFs76rtINusWo-2NafqLDWGqtUCgDWVb0vhORR1pnNlDWoo3dSLcncdXLndVVt2opaewR3OqArFCm85PKQKCeTTbHTLhKWLktbwO7IOXXtMw?testcase_id=6600304003121152
var __v_16 = {};
eval()
function __f_7() {
  __v_8 = __v_16;
  __v_8.a = 1;
}
__v_6 = __f_7();
__v_7 = __f_7();
(function __f_13() {
  var __v_10 = {
    *['a']() {
    }
  };
  __v_7 = __f_7();
})();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot