Related to Ignition and OSR. Still investigating ...

Nope, scratch that, doesn't even require Ignition. Reproduces with normal OSR from FullCodegen code as well.

Simplified repro ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function f() {
  %OptimizeObjectForAddingMultipleProperties(Object.prototype, 10000);
  var array = [];
  for (var j = 0; j < 10; j++) {
    if (j == 5) %OptimizeOsr();
    array.push(j);
  }
}
f();

Not even OSR required ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

%OptimizeObjectForAddingMultipleProperties(Object.prototype, 10000);

function f() { [].push(23) }

f();
f();
%OptimizeFunctionOnNextCall(f);
f();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/4ed27fc836acfc3218a5e4ce6d878a513e9df788

commit 4ed27fc836acfc3218a5e4ce6d878a513e9df788
Author: bmeurer <bmeurer@chromium.org>
Date: Thu Sep 08 08:48:17 2016

[turbofan] Ensure that all prototypes are stable for push/pop.

When lowering Array.prototype.push/.pop to the fast inlined version, we
first need to ensure that all prototypes (including the Object.prototype)
are stable.

R=mvstanton@chromium.org
BUG= chromium:644689 

Review-Url: https://codereview.chromium.org/2319533005
Cr-Commit-Position: refs/heads/master@{#39266}

[modify] https://crrev.com/4ed27fc836acfc3218a5e4ce6d878a513e9df788/src/compiler/js-builtin-reducer.cc
[add] https://crrev.com/4ed27fc836acfc3218a5e4ce6d878a513e9df788/test/mjsunit/regress/regress-crbug-644689-1.js
[add] https://crrev.com/4ed27fc836acfc3218a5e4ce6d878a513e9df788/test/mjsunit/regress/regress-crbug-644689-2.js

ClusterFuzz has detected this issue as fixed in range 39264:39289.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6629940500103168

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  map->is_stable() in compilation-dependencies.cc
  
Regressed: V8: r38599:38625
Fixed: V8: r39264:39289

Minimized Testcase (0.21 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97PDddPm6nbQH4f--t8ymbHpIpz-eDgM0BPZ2ok2_7G2d1d3pt-8-sZHdbszO95R-G1b5c-h44e2t-GukgXMcUkrlQhXQvDKfb_DdxQ0CXSreaKClFxCTnQOMYY28kyIDgFRx1_as65eIX0xijKhHw_oYbB8A?testcase_id=6629940500103168
function quit() {}
  quit();
for (var __v_1 = 0; __v_1 < 10*1000; __v_1++) {
  Object.prototype['generatedProperty'+__v_1] = true;
}
__v_2 = [];
  for (var __v_4 = 0; __v_4 < 30000; __v_4++) {
    __v_2.push(__v_4);
  }


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Any reason this wasn't backmerged to 5.4?

[Automated comment] Less than 2 weeks to go before stable on M54, manual review required.

M54 is already in Stable (deployed to 5% of Win users). We are taking only CRITICAL merges. Could you please confirm the following.

1. Is this change verified in Canary and safe to merge? 
2. Any impact on Stability/Performance/enterprise users?
3. How feasible is the revert in case of any breakage?

Yes this is too close to Stable, feel free to push back if this is critical along with the questionaire above.

machenbach/mbarbella any clue why this was not assigned to blink>Javascript?

re #11

1.) yes
2.) good impact, likely breaking websites currently.
3.) Clicking the revert button. I am not sure what information you would expect ...?

Please merge to 5.4

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9ee144da7edf9e30d4b8885212895a14d6384150

commit 9ee144da7edf9e30d4b8885212895a14d6384150
Author: Michael Hablich <hablich@chromium.org>
Date: Wed Oct 19 19:32:24 2016

Merged: Squashed multiple commits.

Merged: [turbofan] Ensure that all prototypes are stable for push/pop.
Revision: 4ed27fc836acfc3218a5e4ce6d878a513e9df788

Merged: [turbofan] Fix effect chain for polymorphic array access.
Revision: edfe391ef57ef6d1e4a5ce44e20b8361112196a2

BUG= chromium:644689 , chromium:655004 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/2434893002 .

Cr-Commit-Position: refs/branch-heads/5.4@{#69}
Cr-Branched-From: 5ce282769772d94937eb2cb88eb419a6890c8b2d-refs/heads/5.4.500@{#2}
Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841}

[modify] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/src/compiler/js-builtin-reducer.cc
[modify] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/src/compiler/js-native-context-specialization.cc
[add] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/test/mjsunit/regress/regress-crbug-644689-1.js
[add] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/test/mjsunit/regress/regress-crbug-644689-2.js
[add] https://crrev.com/9ee144da7edf9e30d4b8885212895a14d6384150/test/mjsunit/regress/regress-crbug-655004.js

Updating label.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot