Reduced repro has nothing to do with the debugger nor generators.

// Flags: --turbo-escape

var o = {};
for (var i = 0; i < 1000000; i++);
try {
  o.f();
  function g() {}
  function f() { g(); }
} catch(e) {
}

In release mode we get a segfault. In debug mode we get:

#
# Fatal error in ../../../src/compiler/verifier.cc, line 1242
# Node #251:ChangeTaggedSignedToInt32 in B1 is not dominated by input@0 #184:LoadField
#

==== C stack trace ===============================
[...]

Escape analysis.

ClusterFuzz has detected this issue as fixed in range 37394:37395.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5637121415315456

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::Map::instance_type
  v8::internal::Builtin_Impl_HandleApiCall
  v8::internal::Builtin_HandleApiCall
  
Regressed: V8: r36435:36436
Fixed: V8: r37394:37395

Minimized Testcase (0.26 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv949owl8xd96icC2jT8DaA00eQD2k2mp6gd3gA1nSQeGKXqxScd47jMALICdH7lIZxGkyIbx-mjvXzJMF_esQx8hN69wXn6lFbR-11m3e_PH9AgqE09UXU7-f_fFMZiSphSXxTvssJpSmJ1gSeDDGFVhJ0Q87Q?testcase_id=5637121415315456
var __v_5 = {};
  for (var __v_0 = 0; __v_0 < 1000000; __v_0++);
try {
gc();
} catch(e) { print("Caught: " + e); }
try {
__v_5 = debug.Debug;
} catch(e) {"Caught: " + e; }
try {
__v_5.setListener();
function* g() {
}
function* f() {
  yield* g();
}
} catch(e) {; }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot