Related to escape analysis.

 Issue 635493  has been merged into this issue.

 Issue 640238  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5275995416559616

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #12:TypedStateValues in B0 is not dominated by input@3 #2:HeapConstant in v
  

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96liWRpOs0Zy7HHykS7dNei36_-ctLVljLMzz02f8lGo4TE6Lu01Ne26wIAtDSYdzgzcjS078xWT0ial6hTwArsl7ZJhO2_A-cHkY4eEuVTYW4cGUUSpN75BbS7TGtS6bv9MG5oVKDyJ7Mykoe-qCNrU0dwhw?testcase_id=5275995416559616
"use strict";
try {
__v_4 = null;
} catch(e) {; }
try {
function* g() {
}
function* f() {
  yield* g();
}
} catch(e) {; }
for (let _ of f()) { }
function __f_5() {
};


Issue manually filed by: jarin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5591161744130048

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #11:TypedStateValues in B0 is not dominated by input@3 #2:HeapConstant in v
  

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95RmRuRrauAtsPKkeVYxWglpgqEhJ05CebIhoL_yC8kWMCCD2F0yox_wjyCZHS_EwuO9ZTWZ54pmjA6hX7UD5FX-kg2sODLnRWQwTkpZQfjVkCXUkJCQ0zWhTS_LcWseNKs1F6tjCxwQiA2HEBXPLRzZBAayw?testcase_id=5591161744130048
function __f_2() {
}
try {
async function __f_4() {
}
async function __f_5() {
    await __f_4();
}
} catch(e) {; }
for (var __v_9 in __v_8) {; }
for (var __v_9 in __v_7) {; }


Issue manually filed by: jarin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4596519611400192

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #8:TypedStateValues in B0 is not dominated by input@15 #3:HeapConstant in v
  
Regressed: V8: r38650:38651

Minimized Testcase (0.35 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97_MLMmTW7xovPH5JKSGVj13JGrI5VGbhUizAnA9ErpHv8puBaY0YZ2kaFLfD8TAu3xTFuJkEltr0RaiMIsR8mvq6ICDgerZDsisX2oOujioaocamlAeOw0Uc4Mpk-HIzhRZ1eP4rLrREvwwM3bsM7v0eVWqQ?testcase_id=4596519611400192
try {
__v_14 = "Rebellious subjects, enemies to peace,\n\
Once more, on pain of death, all men depart.\n"
  function __f_2() { }
} catch(e) {; }
try {
assertEquals(6, __f_13(4,5,6));
} catch(e) {; }
try {
__v_20 = 0;
} catch(e) {; }
function __f_16() {
}
try {
async function __f_17() {
}
async function __f_18() {
    await __f_17();
}
} catch(e) {; }
__f_18


Issue manually filed by: jarin

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Nope, still a thing. I have a fix in flight.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6277052166832128

Fuzzer: mbarbella_js_mutation
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Fatal error
Crash Address: 
Crash State:
  
  V8_Fatal
  v8::internal::compiler::EscapeStatusAnalysis::CheckUsesForEscape
  v8::internal::compiler::EscapeStatusAnalysis::Process
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=windows_asan_d8&range=413348:413350

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95opJ2JYUHp7_4glnv9W2LWe60_TuafCAjseyXBHZv7oT_HH-K4d7ExUAV-p4QfMAsCKuUoJ5wRpTlmBYZvmK1Hm1b2SFxFQE_v655UPsVXC_Ll1rwdJF2fiwouBfI5_TXXf3ssp0Hqi2QzJ4bwU4KKrto1nQ?testcase_id=6277052166832128
function __f_2() {
  with ({ value:"bared" }) { return value; }
}
 __f_2();
%OptimizeFunctionOnNextCall(__f_2);
 __f_2();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/553d5049235d0ecef07ddc29661501cc670cccd8

commit 553d5049235d0ecef07ddc29661501cc670cccd8
Author: mstarzinger <mstarzinger@chromium.org>
Date: Tue Sep 06 11:58:42 2016

[turbofan] Handle ObjectIsReceiver in escape analysis.

This adds handling of {IrOpcode::kObjectIsReceiver} nodes to the escape
status analysis. Such uses are treated as escaping for now until we add
dedicated handling to the escape analysis reducer.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-631027
BUG= chromium:631027 

Review-Url: https://codereview.chromium.org/2317623003
Cr-Commit-Position: refs/heads/master@{#39205}

[modify] https://crrev.com/553d5049235d0ecef07ddc29661501cc670cccd8/src/compiler/escape-analysis.cc
[add] https://crrev.com/553d5049235d0ecef07ddc29661501cc670cccd8/test/mjsunit/regress/regress-crbug-631027.js

ClusterFuzz has detected this issue as fixed in range 39204:39205.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5129004072042496

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: Unreachable code
Crash Address: 
Crash State:
  escape-analysis.cc
  
Regressed: V8: r38007:38008
Fixed: V8: r39204:39205

Minimized Testcase (0.12 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94D3dgT4EQtnHHUdOanodwOjbAz4LyclI8oeDW-g_CRZqU36g7UqAvuxEyl7COQQGQGsJsHbBMKjmMkx9obw0A-aO25JqbXD3ugbBY6foc6f5yzmnTmYl87tpbDSwR1NeVpm29dZB7bigSugu2KFChMooiirA?testcase_id=5129004072042496
function __f_4() {
  with ({ value:"bared" }) { return value; }
}
 __f_4();
%OptimizeFunctionOnNextCall(__f_4);
 __f_4();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The problem in the original post is fixed. Other problems that have been added later on might be unrelated, tracking them separately.

ClusterFuzz has detected this issue as fixed in range 39247:39248.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4596519611400192

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #8:TypedStateValues in B0 is not dominated by input@15 #3:HeapConstant in v
  
Regressed: V8: r38650:38651
Fixed: V8: r39247:39248

Minimized Testcase (0.35 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97_MLMmTW7xovPH5JKSGVj13JGrI5VGbhUizAnA9ErpHv8puBaY0YZ2kaFLfD8TAu3xTFuJkEltr0RaiMIsR8mvq6ICDgerZDsisX2oOujioaocamlAeOw0Uc4Mpk-HIzhRZ1eP4rLrREvwwM3bsM7v0eVWqQ?testcase_id=4596519611400192
try {
__v_14 = "Rebellious subjects, enemies to peace,\n\
Once more, on pain of death, all men depart.\n"
  function __f_2() { }
} catch(e) {; }
try {
assertEquals(6, __f_13(4,5,6));
} catch(e) {; }
try {
__v_20 = 0;
} catch(e) {; }
function __f_16() {
}
try {
async function __f_17() {
}
async function __f_18() {
    await __f_17();
}
} catch(e) {; }
__f_18


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 39610:39622.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5275995416559616

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #12:TypedStateValues in B0 is not dominated by input@3 #2:HeapConstant in v
  
Fixed: V8: r39610:39622

Minimized Testcase (0.16 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96liWRpOs0Zy7HHykS7dNei36_-ctLVljLMzz02f8lGo4TE6Lu01Ne26wIAtDSYdzgzcjS078xWT0ial6hTwArsl7ZJhO2_A-cHkY4eEuVTYW4cGUUSpN75BbS7TGtS6bv9MG5oVKDyJ7Mykoe-qCNrU0dwhw?testcase_id=5275995416559616
"use strict";
try {
__v_4 = null;
} catch(e) {; }
try {
function* g() {
}
function* f() {
  yield* g();
}
} catch(e) {; }
for (let _ of f()) { }
function __f_5() {
};


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 39610:39622.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5591161744130048

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Node #11:TypedStateValues in B0 is not dominated by input@3 #2:HeapConstant in v
  
Fixed: V8: r39610:39622

Minimized Testcase (0.17 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95RmRuRrauAtsPKkeVYxWglpgqEhJ05CebIhoL_yC8kWMCCD2F0yox_wjyCZHS_EwuO9ZTWZ54pmjA6hX7UD5FX-kg2sODLnRWQwTkpZQfjVkCXUkJCQ0zWhTS_LcWseNKs1F6tjCxwQiA2HEBXPLRzZBAayw?testcase_id=5591161744130048
function __f_2() {
}
try {
async function __f_4() {
}
async function __f_5() {
    await __f_4();
}
} catch(e) {; }
for (var __v_9 in __v_8) {; }
for (var __v_9 in __v_7) {; }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.