I was able to reproduce this locally. Looks like a regression.

I suspect tail-calls in interaction with other features. Reproduces with the following ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --es-staging --ignition-staging --turbo --always-opt

"use strict";
(() => (function() {
  return (async () => { return JSON.stringify() })();
})())();

This is actually the first time we are optimizing a generator. It seems that the tail-call optimization doesn't work well with async/generator functions. I'm not even sure if the call here syntactically is in tail-call position or not. Georg, do you have some insight into this? Further simplified repro ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --es-staging --ignition-staging --turbo

"use strict";

var g = (async () => { return JSON.stringify() });

g();
g();
%OptimizeFunctionOnNextCall(g);
g();

Should this even end up getting optimized right now? We still have DisableOptimization(kGenerator) in AstNumberingVisitor::Renumber(), shouldn't that disable it for now. 

(Side-discussion, we should probably enable TurboFan optimization for generators when --turbo-from-bytecode is set once we have fixed this issue)

Re #5: Both --always-opt as well as %OptimizeFunctionOnNextCall override the heuristics in AstNumberingVisitor. That is working as intended.

Here's a repro using ordinary generators:

out/Debug/d8 --allow-natives-syntax --es-staging --ignition-staging --turbo -e '"use strict"; function* g() {return print(42)}; %OptimizeFunctionOnNextCall(g); g()'

As to your question, no, I have no insight here and I'm not familiar with tail calls.  FWIW, here's a repro using explicit tail calls:


d8 --allow-natives-syntax --harmony-explicit-tailcalls --ignition-staging --turbo -e '"use strict"; function* g() {return continue print(42)}; %OptimizeFunctionOnNextCall(g); g()'

Had a look at the spec: calls inside generator functions are never in tail position.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5af4cd984067f4e316aea04ef381a00724b5a8bf

commit 5af4cd984067f4e316aea04ef381a00724b5a8bf
Author: littledan <littledan@chromium.org>
Date: Mon Aug 29 18:31:12 2016

Disallow tail calls from async functions and generators

Tail calls don't make sense from async functions and generators, as
each activation of these functions needs to make a new, distnict,
non-reused generator object. These tail calls are not required per
spec. This patch disables both syntactic and implicit tail calls
in async functions and generators.

R=neis
BUG= v8:5301 , chromium:639270 

Review-Url: https://codereview.chromium.org/2278413003
Cr-Commit-Position: refs/heads/master@{#38986}

[modify] https://crrev.com/5af4cd984067f4e316aea04ef381a00724b5a8bf/src/parsing/parser-base.h
[modify] https://crrev.com/5af4cd984067f4e316aea04ef381a00724b5a8bf/src/parsing/parser.cc
[add] https://crrev.com/5af4cd984067f4e316aea04ef381a00724b5a8bf/test/message/syntactic-tail-call-generator.js
[add] https://crrev.com/5af4cd984067f4e316aea04ef381a00724b5a8bf/test/message/syntactic-tail-call-generator.out
[modify] https://crrev.com/5af4cd984067f4e316aea04ef381a00724b5a8bf/test/mjsunit/es8/syntactic-tail-call-parsing.js
[add] https://crrev.com/5af4cd984067f4e316aea04ef381a00724b5a8bf/test/mjsunit/regress/regress-639270.js

ClusterFuzz has detected this issue as fixed in range 38985:38986.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6464175503310848

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  IrOpcode::kFrameState == state->op()->opcode() in instruction-selector.cc
  
Regressed: V8: r38039:38040
Fixed: V8: r38985:38986

Minimized Testcase (0.28 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv94w_OeEB_C4NAlG_WERUe3vaH80d36-XJgQJTefugHhPWlys_tqzN9EUCVRTNtbKRK8gfStlh1wKKgiDjUtmcUeJzfIQwi53twKXPxX2Nz9Bs3HvUNdZAu-jxXIxjLMzUMGYspDkNBgw8Fu8EH2MH8aaRqdQQ?testcase_id=6464175503310848
"use strict";
try {
__v_9 = {
                  Script: 6};
__v_0 = ( {
})();
__v_1 = (function() {
})();
} catch(e) {; }
function __f_5(expected, run) {
  var __v_8 = run();
};
__f_5("[1,2,3]", () => (function() {
      return (async () => { return JSON.stringify() })();
      })());


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/51c8996ee36aaee5f5fee04b0747ea27194937b7

commit 51c8996ee36aaee5f5fee04b0747ea27194937b7
Author: Dan Ehrenberg <littledan@chromium.org>
Date: Tue Sep 06 21:46:52 2016

Merged: Disallow tail calls from async functions and generators

Revision: 5af4cd984067f4e316aea04ef381a00724b5a8bf

BUG= chromium:639270 , v8:5301 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=adamk@chromium.org, adamk

Review URL: https://codereview.chromium.org/2313723007 .

Cr-Commit-Position: refs/branch-heads/5.4@{#25}
Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2}
Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841}

[modify] https://crrev.com/51c8996ee36aaee5f5fee04b0747ea27194937b7/src/parsing/parser-base.h
[modify] https://crrev.com/51c8996ee36aaee5f5fee04b0747ea27194937b7/src/parsing/parser.cc
[modify] https://crrev.com/51c8996ee36aaee5f5fee04b0747ea27194937b7/test/mjsunit/es8/syntactic-tail-call-parsing.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f8940303742321f0f9ebf56cc4bca7aed2e48083

commit f8940303742321f0f9ebf56cc4bca7aed2e48083
Author: littledan <littledan@chromium.org>
Date: Tue Sep 06 22:07:07 2016

Revert of Merged: Disallow tail calls from async functions and generators (patchset #3 id:40001 of https://codereview.chromium.org/2313723007/ )

Reason for revert:
Mistaken revert to the wrong base

Original issue's description:
> Merged: Disallow tail calls from async functions and generators
>
> Revision: 5af4cd984067f4e316aea04ef381a00724b5a8bf
>
> BUG= chromium:639270 , v8:5301 
> LOG=N
> NOTRY=true
> NOPRESUBMIT=true
> NOTREECHECKS=true
> R=adamk@chromium.org, adamk
>
> Committed: https://chromium.googlesource.com/v8/v8/+/51c8996ee36aaee5f5fee04b0747ea27194937b7

TBR=adamk@chromium.org
# Skipping CQ checks because original CL landed less than 1 days ago.
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG= chromium:639270 , v8:5301 

Review-Url: https://codereview.chromium.org/2317873002
Cr-Commit-Position: refs/branch-heads/5.4@{#27}
Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2}
Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841}

[modify] https://crrev.com/f8940303742321f0f9ebf56cc4bca7aed2e48083/src/parsing/parser-base.h
[modify] https://crrev.com/f8940303742321f0f9ebf56cc4bca7aed2e48083/src/parsing/parser.cc
[modify] https://crrev.com/f8940303742321f0f9ebf56cc4bca7aed2e48083/test/mjsunit/es8/syntactic-tail-call-parsing.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9aab328d23e2f78c3dc5ccd2b84e8e9a9898c445

commit 9aab328d23e2f78c3dc5ccd2b84e8e9a9898c445
Author: Dan Ehrenberg <littledan@chromium.org>
Date: Tue Sep 06 22:14:18 2016

Merged: Disallow tail calls from async functions and generators

Revision: 5af4cd984067f4e316aea04ef381a00724b5a8bf

BUG= chromium:639270 , v8:5301 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=adamk@chromium.org, adamk

Review URL: https://codereview.chromium.org/2315043002 .

Cr-Commit-Position: refs/branch-heads/5.3@{#65}
Cr-Branched-From: 820a23aade5e74a92d794e05a0c2b3597f0da4b5-refs/heads/5.3.332@{#2}
Cr-Branched-From: 37538cb2c1b4d75c41af386cb4fedbe5566f5608-refs/heads/master@{#37308}

[modify] https://crrev.com/9aab328d23e2f78c3dc5ccd2b84e8e9a9898c445/src/parsing/parser-base.h
[modify] https://crrev.com/9aab328d23e2f78c3dc5ccd2b84e8e9a9898c445/src/parsing/parser.cc
[modify] https://crrev.com/9aab328d23e2f78c3dc5ccd2b84e8e9a9898c445/test/mjsunit/es8/syntactic-tail-call-parsing.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/fcb0004e2375cc7a449b9936737b6d6c18bc8f30

commit fcb0004e2375cc7a449b9936737b6d6c18bc8f30
Author: Dan Ehrenberg <littledan@chromium.org>
Date: Tue Sep 06 22:28:21 2016

Merged: Disallow tail calls from async functions and generators

Revision: 5af4cd984067f4e316aea04ef381a00724b5a8bf

BUG= chromium:639270 , v8:5301 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=adamk@chromium.org, adamk

Review URL: https://codereview.chromium.org/2316623004 .

Cr-Commit-Position: refs/branch-heads/5.4@{#29}
Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2}
Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841}

[modify] https://crrev.com/fcb0004e2375cc7a449b9936737b6d6c18bc8f30/src/parsing/parser-base.h
[modify] https://crrev.com/fcb0004e2375cc7a449b9936737b6d6c18bc8f30/src/parsing/parser.cc
[modify] https://crrev.com/fcb0004e2375cc7a449b9936737b6d6c18bc8f30/test/mjsunit/es8/syntactic-tail-call-parsing.js
[add] https://crrev.com/fcb0004e2375cc7a449b9936737b6d6c18bc8f30/test/mjsunit/regress/regress-639270.js

Tracking Node.js backport status through v8:5301.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot