Most likely related to  issue v8:5200  as well.

Simplified repro ...

var x = Array(100000);
function f(a) {
  var sum = 0;
  var outer = 100;
  while (outer > 0) {
    var inner = 100000;
    while (inner > 0) {
      sum += x;
      inner--;
    }
    outer--;
  }
  return a[x];
}
f(1);

This is the Hydrogen StringAddStub failing (via a deopt) and then delegating to the Runtime_StringAdd method, which assumes both inputs have already been converted. But the stub failure passes original arguments. The following is an even simpler repro ...

function f() {
  var x = Array(100000);
  var sum = 0;
  var inner = 100000;
  while (inner > 0) {
    sum += x;
    inner--;
  }
}
f();

And this is the stub failure in question ...

[deoptimizing (DEOPT lazy): begin STUB (opt #-1) @4, FP to SP delta: 32, caller sp: 0x7ffcd2e6cf98]
  reading compiler stub frame => height=3; inputs:
      0: 0x20beb537ed99 ; rbx 0x20beb537ed99 <Very long string[268397317]>
      1: 0x3fe1e41d3a59 ; [fp - 24] 0x3fe1e41d3a59 <JS Array[100000]>
      2: 0x3fe1e41a6e39 ; [fp - 32] 0x3fe1e41a6e39 <FixedArray[180]>
  translating StringAddStub => StubFailureTrampolineStub, height=16
    0x7ffcd2e6cf90: [top + 56] <- 0x39452f8747bf ;  caller's pc
    0x7ffcd2e6cf88: [top + 48] <- 0x7ffcd2e6cfb8 ;  caller's fp
    0x7ffcd2e6cf80: [top + 40] <- 0xb00000000 ;  function (stub failure sentinel)
    0x7ffcd2e6cf78: [top + 32] <- 0x7ffcd2e6cf90 ;  args.arguments
    0x7ffcd2e6cf70: [top + 24] <- 0x00000000 ;  args.length
    0x7ffcd2e6cf68: [top + 16] <- 0x7ffcd2e6cf70 ;  args*
    0x7ffcd2e6cf60: [top + 8] <- 0x20beb537ed99 ;  0x20beb537ed99 <Very long string[268397317]>  (input #0)
    0x7ffcd2e6cf58: [top + 0] <- 0x3fe1e41d3a59 ;  0x3fe1e41d3a59 <JS Array[100000]>  (input #1)
[deoptimizing (lazy): end STUB @4 => node=6, pc=0x39452f830520, caller sp=0x7ffcd2e6cf98, state=NO_REGISTERS, took 0.212 ms]

Even simpler repro:

var x = "1".repeat(32 * 1024 * 1024);
for (var z = x;;) z += {toString: function() { return x; }};

 Issue v8:5200  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/6530a16eb5b7ccfd4cbcda105035f2c4c27295db

commit 6530a16eb5b7ccfd4cbcda105035f2c4c27295db
Author: bmeurer <bmeurer@chromium.org>
Date: Thu Jul 14 11:44:53 2016

[stubs] Properly handle length overflow in StringAddStub.

Using the Hydrogen code stub bailout mechanism is not correct for the
string length overflow check in the StringAddStub. Instead make sure we
just throw the proper exception.

R=mstarzinger@chromium.org
BUG= chromium:627934 

Review-Url: https://codereview.chromium.org/2146353002
Cr-Commit-Position: refs/heads/master@{#37758}

[modify] https://crrev.com/6530a16eb5b7ccfd4cbcda105035f2c4c27295db/src/crankshaft/hydrogen.cc
[modify] https://crrev.com/6530a16eb5b7ccfd4cbcda105035f2c4c27295db/src/runtime/runtime-internal.cc
[modify] https://crrev.com/6530a16eb5b7ccfd4cbcda105035f2c4c27295db/src/runtime/runtime.h
[add] https://crrev.com/6530a16eb5b7ccfd4cbcda105035f2c4c27295db/test/mjsunit/regress/regress-crbug-627934.js

ClusterFuzz has detected this issue as fixed in range 37757:37758.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4776177801887744

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_ignition_v8_arm_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[1]->IsString() in runtime-strings.cc
  
Regressed: V8: r37703:37704
Fixed: V8: r37757:37758

Minimized Testcase (7.81 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97i5piEOWqyLEYooA7tZFOrgzbkDYwZxtmvFiDAonxa9poYDjJgaM4Xnd4mTF1JtkWtkW4yNsTIQLz3FGJoqFZpJz69rzo9j9LE8hkBPUrnoiblnuHHIKxqaNw2tuy39xBfKh2SWtvghHq5AyY1NPYfuYUXsg?testcase_id=4776177801887744

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot