I previously folded this into  issue chromium:642409 , but it seems to be unrelated, because it is still happening on tip of tree. Will investigate.

Reproduces as follow ...

$ ./out/x64.debug/d8 --turbo --always-opt --ignition --turbo-from-bytecode ~/Downloads/fuzz-03277.js 

#
# Fatal error in ../src/runtime/runtime-object.cc, line 567
# Check failed: args[1]->IsJSReceiver().
#

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --ignition-staging --turbo

var x = {};
class Base {}
class Subclass extends Base {
  constructor() {
    x = 0;
    super();
  }
}
// does not reproduce when warmed up before!
%OptimizeFunctionOnNextCall(Subclass);
new Subclass();

This has to do with the deoptmizer smashing "undefined" into the "new.target" register when materializing the interpreted frame. I need to dwell on this a bit.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/0681deb9142f7845b2d28e062664a0e63c601b68

commit 0681deb9142f7845b2d28e062664a0e63c601b68
Author: mstarzinger <mstarzinger@chromium.org>
Date: Fri Sep 09 12:19:48 2016

[interpreter] Fix destroyed new.target register use.

This fixes a corner-case where the bytecode was using the <new.target>
register directly without going through the local variable. The value
might be clobbered because the deoptimizer doesn't properly restore the
value. The label will causes bytecode pipeline to be flushed and hence
ensure {BytecodeRegisterOptimizer} doesn't reuse <new.target> anymore.

R=rmcilroy@chromium.org
TEST=mjsunit/regress/regress-crbug-645103
BUG= chromium:645103 

Review-Url: https://codereview.chromium.org/2325133002
Cr-Commit-Position: refs/heads/master@{#39306}

[modify] https://crrev.com/0681deb9142f7845b2d28e062664a0e63c601b68/src/interpreter/bytecode-generator.cc
[modify] https://crrev.com/0681deb9142f7845b2d28e062664a0e63c601b68/test/cctest/interpreter/bytecode_expectations/ClassAndSuperClass.golden
[modify] https://crrev.com/0681deb9142f7845b2d28e062664a0e63c601b68/test/cctest/interpreter/bytecode_expectations/NewTarget.golden
[add] https://crrev.com/0681deb9142f7845b2d28e062664a0e63c601b68/test/mjsunit/regress/regress-crbug-645103.js

This is done.

ClusterFuzz has detected this issue as fixed in range 39303:39316.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5712623226322944

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  args[1]->IsJSReceiver() in runtime-object.cc
  
Regressed: V8: r38356:38395
Fixed: V8: r39303:39316

Minimized Testcase (0.27 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97YTKhoXYM2D_jbIVHxAhr5b1l65CkZjEjsZ5tAMPra2Cocu7StfSZbUdRrQh6-MgK9i1eqBrfpTlGzt7wNvFEEDY2Bt30rFsjRpg6OiHw__gAoqNCtGToiwWisQUu6Lk9eoL-dmHt7att_ZuKaZM3Y7woa4g?testcase_id=5712623226322944
var __v_21 = {};
try {
( {
})();
} catch(e) {; }
(function __f_9() {
  class Base {
  }
}());
(function __f_16() {
  class Base {
  }
  class Subclass1 extends Base {
    constructor() {
      __v_21 = 0;
      super();
    }
  }
  new Subclass1();
}());
(function __f_8() {
}());


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot