https://chromium.googlesource.com/v8/v8/+/3b473d7aadbf135dd8da5a6fb3eda882f1ecd3f1%5E%21/src/compiler/instruction-selector.cc

sigurds@ could you please look into this. thanks

Sigurd was our intern, he is not with Google ATM. Also this looks unrelated to escape analysis.

Bisects to:

commit 7a61bbcfd8b1bee2617b32e23a6bbf63cfbc00b3
Author: jarin <jarin@chromium.org>
Date:   Thu Jul 14 07:59:44 2016 -0700

    [turbofan] Introduce explicit loop exits markers.
    
    This CL introduces explicit LoopExit control nodes at loop exits.
    We also attach explicit value renames (LoopExitMarker) and effect
    rename (LoopExitEffect) to each loop exit. This is in preparation
    to loop peeling, which will replace LoopExit, LoopExitMarker and
    LoopExitEffect with Merge, Phi and EffectPhi respectively.
    
    At the moment, we insert loop exit at every return, break,
    continue and locally caught throw. We do not yet handle
    uncaught throws (including error throws, such as ReferenceError).
    
    Review-Url: https://codereview.chromium.org/2140673007
    Cr-Commit-Position: refs/heads/master@{#37769}

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/86110796f6de0013e5ab42509c4e6f72abf38e76

commit 86110796f6de0013e5ab42509c4e6f72abf38e76
Author: jarin <jarin@chromium.org>
Date: Mon Jul 18 11:55:34 2016

[turbofan] Eliminate checkpoints before return in common op reducer.

This makes sure that we preserve call's tailness even if we have
introduced a loop exit between the call and the return.

BUG= chromium:628773 

Review-Url: https://codereview.chromium.org/2155123002
Cr-Commit-Position: refs/heads/master@{#37832}

[modify] https://crrev.com/86110796f6de0013e5ab42509c4e6f72abf38e76/src/compiler/checkpoint-elimination.cc
[modify] https://crrev.com/86110796f6de0013e5ab42509c4e6f72abf38e76/src/compiler/checkpoint-elimination.h
[modify] https://crrev.com/86110796f6de0013e5ab42509c4e6f72abf38e76/src/compiler/common-operator-reducer.cc
[add] https://crrev.com/86110796f6de0013e5ab42509c4e6f72abf38e76/test/mjsunit/compiler/regress-628773.js

ClusterFuzz has detected this issue as fixed in range 37813:37833.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4880218720567296

Fuzzer: decoder_langfuzz
Job Type: linux_asan_chrome_v8_d8
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000068
Crash State:
  v8::internal::compiler::AddInputsToFrameStateDescriptor
  v8::internal::compiler::InstructionSelector::InitializeCallBuffer
  v8::internal::compiler::InstructionSelector::VisitCall
  
Regressed: V8: r37752:37779
Fixed: V8: r37813:37833

Minimized Testcase (10.90 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95cjXMFWsM83MYmR_sOqgXgLktN6300hpz9pn72r5bOqIDU13z3Y4DXxpvbI1H4L6OXTOX49O0fvWOk5LlSUzLtJNKUh5L33pex2ilzGlaeue4zS4YgeUWlDY2c0aoNRU3ylfqYW_riUObutVu6Zi3tQV2F_g?testcase_id=4880218720567296

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 631370  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot