The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a81d19d583baea17ea0aa70609c17ad18ce3f269

commit a81d19d583baea17ea0aa70609c17ad18ce3f269
Author: jarin <jarin@chromium.org>
Date: Mon Jul 25 04:00:16 2016

[turbofan] Handle impossible types (Type::None()) in the backend.

BUG= chromium:630611 

Review-Url: https://codereview.chromium.org/2177483002
Cr-Commit-Position: refs/heads/master@{#37994}

[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/bailout-reason.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/arm/code-generator-arm.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/arm64/code-generator-arm64.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/code-generator.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/ia32/code-generator-ia32.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction-codes.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction-scheduler.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction-selector-impl.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction-selector.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/instruction.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/machine-operator.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/machine-operator.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/mips/code-generator-mips.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/mips64/code-generator-mips64.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/opcodes.h
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/ppc/code-generator-ppc.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/representation-change.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/s390/code-generator-s390.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/typer.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/verifier.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/x64/code-generator-x64.cc
[modify] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/src/compiler/x87/code-generator-x87.cc
[add] https://crrev.com/a81d19d583baea17ea0aa70609c17ad18ce3f269/test/mjsunit/compiler/regress-630611.js

ClusterFuzz has detected this issue as fixed in range 37993:37995.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5287459936272384

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Phi of kMachNone (None) cannot be changed to kRepTagged in representation-change
  
Regressed: V8: r37695:37708
Fixed: V8: r37993:37995

Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97JgzZKUrAvcQP7ALdZSyP8SqCkqRp9arnLf5CWva_bEySmP8Fd_uy1dqXQgnhWtAEn920ueNA58Op3B8HqeHmudcUrjmiJodaIdHLES_PRAZ5QKza0ia5Axe1eiCd7Vm0f-ZXIk_bi2dyyp6fFsqs4AqHWJA?testcase_id=5287459936272384
var __v_9 = {};
var __v_13 = 1073741824;
function __f_8() {
}
function __f_10() {
}
function __f_2() {
}
__v_4 =
    [, __f_8, __f_10, __f_2];
for (var __v_1 = 0; __v_1 < __v_4.length; __v_1++) {
  gc();
}
try {
} catch(e) {; }
__v_13 = 10000;
(function __f_14() {
  __v_13 = __v_9;
  for (var __v_15 = __v_13; __v_15 > 0; __v_15 -= 2) {
    delete __v_14[__v_15];
  }
})()


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot