The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/43aee0331d2ff6ce2f6089e879665b648f2fdd15

commit 43aee0331d2ff6ce2f6089e879665b648f2fdd15
Author: ishell <ishell@chromium.org>
Date: Mon Jul 04 11:41:17 2016

[fullcode][mips][mips64][ppc][s390] Avoid trashing of a home object when doing a keyed store to a super.

BUG= chromium:625590 

Review-Url: https://codereview.chromium.org/2120963002
Cr-Commit-Position: refs/heads/master@{#37497}

[modify] https://crrev.com/43aee0331d2ff6ce2f6089e879665b648f2fdd15/src/full-codegen/mips/full-codegen-mips.cc
[modify] https://crrev.com/43aee0331d2ff6ce2f6089e879665b648f2fdd15/src/full-codegen/mips64/full-codegen-mips64.cc
[modify] https://crrev.com/43aee0331d2ff6ce2f6089e879665b648f2fdd15/src/full-codegen/ppc/full-codegen-ppc.cc
[modify] https://crrev.com/43aee0331d2ff6ce2f6089e879665b648f2fdd15/src/full-codegen/s390/full-codegen-s390.cc
[add] https://crrev.com/43aee0331d2ff6ce2f6089e879665b648f2fdd15/test/mjsunit/regress/regress-crbug-625590.js

ClusterFuzz has detected this issue as fixed in range 37496:37497.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6358437932040192

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_mipsel_dbg
Platform Id: linux

Crash Type: RUNTIME_ASSERT
Crash Address: 
Crash State:
  args[1]->IsJSObject() in runtime-classes.cc
  
Regressed: V8: r34400:34401
Fixed: V8: r37496:37497

Minimized Testcase (0.39 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94SEZ9icTnXlsoZaUe601UIVagB8mqgWOTp76EKdueDEZnRCjlgSkHqaes_jTUjHo8ddPR7UNNL-HqnZAdbcqNqLONsOxbgDhmBuOTXe86Y6FPTKqtYOSHET4DJKFGax6sPTtDqPaMC7RlNoCOUxjtamXKZ0A?testcase_id=6358437932040192
var __v_1 = {};
try {
(function __f_0() {
  __f_3.prototype = {
    testGetterWithToString() {
    }
  };
  __f_3.prototype = {
    testSetter() {
    }
  };
  __f_3.prototype = {
    testSetter() {
    }
  };
}());
} catch(e) {; }
function __f_26() {
}
(function __f_28() {
  function __f_3() {}
  __f_3.prototype = {
    mSloppy() {
      super[__v_1] = 15;
    }
  };
  new __f_3().mSloppy();
})()


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5b823bfc6e40bc33b0037d8f478aae06167fb21f

commit 5b823bfc6e40bc33b0037d8f478aae06167fb21f
Author: bjaideep <bjaideep@ca.ibm.com>
Date: Wed Jul 06 17:57:06 2016

PPC: [fullcode][mips][mips64][ppc][s390] Avoid trashing of a home object when doing a keyed store to a super.

Port 43aee0331d2ff6ce2f6089e879665b648f2fdd15

    Fixed minor typo in ppc file.

R=ishell@chromium.org, joransiu@ca.ibm.com, jyan@ca.ibm.com, michael_dawson@ca.ibm.com, mbrandy@us.ibm.com

BUG= chromium:625590 
LOG=N

Review-Url: https://codereview.chromium.org/2125933002
Cr-Commit-Position: refs/heads/master@{#37562}

[modify] https://crrev.com/5b823bfc6e40bc33b0037d8f478aae06167fb21f/src/full-codegen/ppc/full-codegen-ppc.cc

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot