This is the bug where we replace live constant uses with Dead in simplified lowering (when we propagate, the constant is dead, but then we revive it in representation change).

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5bed1516c8218b2607cbbe9e1f96c8f83376da41

commit 5bed1516c8218b2607cbbe9e1f96c8f83376da41
Author: bmeurer <bmeurer@chromium.org>
Date: Mon Jul 25 10:37:25 2016

[turbofan] Avoid introducing machine operators during typed lowering.

Introducing machine operators early causes trouble for the typing,
truncation analysis and representation selection, so we should rather
stick to simplified operators instead. Now there's only the for-in case
left, which is not clear how we can handle this in a better way.

Drive-by-fix: Also don't introduce Int32Constant and Word32Shl in
JSTypedLowering, but use NumberConstant and proper NumberShiftLeft
operators instead.

R=jarin@chromium.org
BUG= chromium:630951 

Review-Url: https://codereview.chromium.org/2182453002
Cr-Commit-Position: refs/heads/master@{#38008}

[modify] https://crrev.com/5bed1516c8218b2607cbbe9e1f96c8f83376da41/src/compiler/js-intrinsic-lowering.cc
[modify] https://crrev.com/5bed1516c8218b2607cbbe9e1f96c8f83376da41/src/compiler/js-intrinsic-lowering.h
[modify] https://crrev.com/5bed1516c8218b2607cbbe9e1f96c8f83376da41/src/compiler/js-typed-lowering.cc
[modify] https://crrev.com/5bed1516c8218b2607cbbe9e1f96c8f83376da41/src/compiler/js-typed-lowering.h
[add] https://crrev.com/5bed1516c8218b2607cbbe9e1f96c8f83376da41/test/mjsunit/regress/regress-crbug-630951.js
[modify] https://crrev.com/5bed1516c8218b2607cbbe9e1f96c8f83376da41/test/unittests/compiler/js-intrinsic-lowering-unittest.cc
[modify] https://crrev.com/5bed1516c8218b2607cbbe9e1f96c8f83376da41/test/unittests/compiler/js-typed-lowering-unittest.cc

ClusterFuzz has detected this issue as fixed in range 37995:38020.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5867198673584128

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: Unreachable code
Crash Address: 
Crash State:
  verifier.cc
  
Regressed: V8: r37920:37947
Fixed: V8: r37995:38020

Minimized Testcase (0.34 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95TpV_Dqg0BxunKKhAMf-gJYg-hKMbgRrDtOkUf-EtX_5164rkIBqdZCoLKWih0xR1568CxzQrPc2lpIzvD5m-HN_NFf6f7TaI_WM8G5V95ilwE1gJABpzBDFpysy-7G8ToSjqfvUmcWt3eTBSArU3Xo5A2WQ?testcase_id=5867198673584128
  (function __f_0() {
  })();
function __f_2(stdlib, foreign, buffer) {
  "use asm";
  var __v_3 = new stdlib.Int32Array(buffer);
  function __f_4() {
    var __v_4 = __v_3[i1 >> 2] | 0;
      var __v_2 = (__v_3[0] | 1) / -1073741824 | 2;
      __f_3(__v_2);
  }
  return {__f_4: __f_4};
}
var __f_4 = __f_2(this, {},64 * 1024).__f_4;
 __f_4();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot