This is caused by the "arguments marker" being passed in as a context into Runtime::kNotifyDeoptimized for cases where the context of a topmost frame has been dematerialized by escape analysis. All of the deoptimizer is ready to handle such cases and doesn't rely on a concrete context being present when materializing object.

My plan is to unconditionally set the context register to Smi(0) in all the Builtins::kNotifyDeoptimized builtins. This way we make sure that the deoptimizer is always capable to work without a context and also satisfy the invariant checked while entering the runtime function.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/96164b74f1fa5a73a9632eaae9179813cd6a0a92

commit 96164b74f1fa5a73a9632eaae9179813cd6a0a92
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Sep 08 09:51:32 2016

[deoptimizer] Clear context before NotifyDeoptimized.

This clears the context register by setting it to Smi(0) before calling
the Runtime::kNotifyDeoptimized helper. The deoptimizer must be able to
materialize all heap objects without any context available. The context
itself might be dematerialized.

With this change we make sure that invariant is maintained even without
escape analysis kicking in. We also satisfy the check that the context
register is either Smi(0) or a valid context. It might have been the
special {arguments_marker} in this particular case.

R=bmeurer@chromium.org
BUG= chromium:644245 

Review-Url: https://codereview.chromium.org/2320673002
Cr-Commit-Position: refs/heads/master@{#39267}

[modify] https://crrev.com/96164b74f1fa5a73a9632eaae9179813cd6a0a92/src/deoptimizer.cc
[modify] https://crrev.com/96164b74f1fa5a73a9632eaae9179813cd6a0a92/src/runtime/runtime-compiler.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9984d6f689eb722363efa86f34522f2dc5e3bbc5

commit 9984d6f689eb722363efa86f34522f2dc5e3bbc5
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Sep 08 10:33:05 2016

[deoptimizer] Support materialization of ContextExtension.

This adds support to the deoptimizer to materialize ContextExtension
objects that have been de-materialized by escape analysis. This is
follow-up to the inline allocation of such objects during the create
lowering phase (i.e. JSCreateWithContext and JSCreateCatchContext).

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-644245
BUG= chromium:644245 

Review-Url: https://codereview.chromium.org/2317353003
Cr-Commit-Position: refs/heads/master@{#39270}

[modify] https://crrev.com/9984d6f689eb722363efa86f34522f2dc5e3bbc5/src/deoptimizer.cc
[add] https://crrev.com/9984d6f689eb722363efa86f34522f2dc5e3bbc5/test/mjsunit/regress/regress-crbug-644245.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/517a54286d4dd8c23dce0e19306c199a1930266c

commit 517a54286d4dd8c23dce0e19306c199a1930266c
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Sep 08 11:37:44 2016

[deoptimizer] Materialize JSArray objects without context.

This fixes the materialization of JSArray objects to not rely on a
context being available. The context has been cleared because it might
be de-materiallized itself.

R=bmeurer@chromium.org
BUG= chromium:644245 

Review-Url: https://codereview.chromium.org/2323713002
Cr-Commit-Position: refs/heads/master@{#39274}

[modify] https://crrev.com/517a54286d4dd8c23dce0e19306c199a1930266c/src/deoptimizer.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9d6872cdf1f32580de2375f19acbc9bde2b83ac9

commit 9d6872cdf1f32580de2375f19acbc9bde2b83ac9
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Sep 08 12:15:32 2016

[deoptimizer] Materialize JSFunction objects without context.

This fixes the materialization of JSFunction objects to not rely on a
context being available. The context has been cleared because it might
be de-materiallized itself.

R=bmeurer@chromium.org
TEST=mjsunit/compiler/escape-analysis-materialize
BUG= chromium:644245 

Review-Url: https://codereview.chromium.org/2320983002
Cr-Commit-Position: refs/heads/master@{#39277}

[modify] https://crrev.com/9d6872cdf1f32580de2375f19acbc9bde2b83ac9/src/deoptimizer.cc
[add] https://crrev.com/9d6872cdf1f32580de2375f19acbc9bde2b83ac9/test/mjsunit/compiler/escape-analysis-materialize.js

This is done.

ClusterFuzz has detected this issue as fixed in range 39264:39289.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6568306809241600

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  isolate->context() == nullptr || isolate->context()->IsContext() in runtime-comp
  
Regressed: V8: r37851:37885
Fixed: V8: r39264:39289

Minimized Testcase (0.14 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96vz7NcnYIvUWuFpnuloLG788bFgfuAE9UyEVBbaWgFBC6NZXgoPs3mMpievcBslpiPFT8ji7vryVbV2SG2ibt3KlYZme1fGzs4mvKiPAwdFXqOkAcCazhMq6B2uE4uSTexJJ-F89yfUytqBniR7VLx3CqKDQ?testcase_id=6568306809241600
var __v_9 = -2147483648;
(function __f_8() {
  var __v_8 = {
  }
})();
function __f_10() {
  try { f(); } catch(e) { __v_9 = true; }
}
__f_10();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

 Issue 635856  has been merged into this issue.

 Issue 627452  has been merged into this issue.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot