Through code search on bytecode-register-optimizer.cc suspecting

https://codereview.chromium.org/1997653002

Please reassign if this is not related to your change.

This seems like a difference between between lazy and no-lazy. It repros with:

d8 --no-lazy --allow-natives-syntax --ignition test.js

But is fine without the --no-lazy.

You might need to call the functions created by the arrow functions to trigger it without --no-lazy (since the functions won't be compiled until they are called).

Yup, crashes without --no-lazy if you call the functions. This is probably a dup of  issue 622663 

Yup, this is a dup of  issue 622663 , the test case is the same. Nikolaos has a fix which should hopefully land soon.

ClusterFuzz has detected this issue as fixed in range 37334:37335.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5527890074796032

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000000
Crash State:
  v8::internal::interpreter::BytecodeRegisterOptimizer::RegisterInfo::register_val
  v8::internal::interpreter::BytecodeRegisterOptimizer::OutputRegisterTransfer
  v8::internal::interpreter::BytecodeRegisterOptimizer::Materialize
  
Regressed: V8: r33089:33090
Fixed: V8: r37334:37335

Minimized Testcase (0.07 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97k_RmRTziLxsDxTUWM9e4sqPDEIKAeRHwRvQsLU7EJqKF4_0fET4NfgXHJwh--a7Qr7kvXqm6saqQbnQ-X9dZ7UdOpbqg4SZ-C7DyIDsq-Ezh3KQnKHqYQp6qT2DWKJglpJhXjEfy3CNbY65fw_iUt1gZiCA?testcase_id=5527890074796032
try {
(y = 1[ [...[]]]) => 1;
(y = 1[ [...[]]]) => {};
} catch(e) {; }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot