Bisects to d8d964baa226881480e58c13d519b018697c4511. Looks like a missing control projection.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5200295112212480

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (projections[index]) != nullptr in node-properties.cc
  
Regressed: V8: r39823:39838

Minimized Testcase (0.29 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97S6029c8J4fyT4wd141eVB6kD4VtVYjI5r-9TKIFsuWrPzGaFdltfoR2HoKpmEiwGRTYE8FHpbsgeB08tuvBptEQMY6aMzqE0NmDQ_pvxOWdcv95TZDfy6zeKkP2-qgRFHVcoaT4-GnEWYthdjbNUlKjJfIw?testcase_id=5200295112212480
function __f_2 () {
    __f_4();
  function __f_4() {
    try {
      if (inverted) {
        eval();
        __v_1.__p_1150481273 = __v_1[getRandomProperty()];
      }
    } catch(e) {
    }
  }
  var __v_1 = Object.create( { toString: { value: __f_3 }, length: { get: __f_3 } });
}
__f_2();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/537c855882d14aa868b12f9495b7a0ca8b7a8d40

commit 537c855882d14aa868b12f9495b7a0ca8b7a8d40
Author: leszeks <leszeks@chromium.org>
Date: Thu Sep 29 15:17:52 2016

[ignition] BytecodeGraphBuilder: Merge correct environment in try block

Making new nodes inside of exception-handled blocks fiddles around with the
current environment to merge the exception paths. In particular, the current
environment pointer is mutated. This patch ensures that when we merge the fast
and slow paths of the LdaContextLookup, we actually merge the correct
environment and do not accidentally merge the exceptional environment.

BUG= chromium:651394 

Review-Url: https://codereview.chromium.org/2379043002
Cr-Commit-Position: refs/heads/master@{#39878}

[modify] https://crrev.com/537c855882d14aa868b12f9495b7a0ca8b7a8d40/src/compiler/bytecode-graph-builder.cc
[add] https://crrev.com/537c855882d14aa868b12f9495b7a0ca8b7a8d40/test/mjsunit/regress/regress-crbug-651403-global.js
[add] https://crrev.com/537c855882d14aa868b12f9495b7a0ca8b7a8d40/test/mjsunit/regress/regress-crbug-651403.js

Issue 651466 has been merged into this issue.

 Issue 651783  has been merged into this issue.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4573034600202240

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_be
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x000000000014
Crash State:
  v8::internal::compiler::Schedule::block
  v8::internal::compiler::CFGBuilder::BuildBlockForNode
  v8::internal::compiler::CFGBuilder::BuildBlocks
  
Regressed: V8: r39823:39838
Fixed: V8: r39862:39889

Minimized Testcase (0.29 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv96oD6d1clhOh1WFhUwn0g9V7zUYDwKqaweB4emN4UoTYPWDJOIxBsC5x7jWGAxbLYHYEdSAL7yv1Y2etEPmPm7QYBwQwPAfaX96taKkPTDVlLDcBZp-NkrjvPebGqfBt-Y0GmIH_YGyO7kbLLboaSGP9pWLww?testcase_id=4573034600202240
try {
} catch(e) {; }
function __f_6 () {
  function __f_5() {
    try {
      __v_5.__p_84239135 = __v_5[getRandomProperty()];
      eval();
    } catch(e) {
    }
  }
  function __f_7() {
  }
  var __v_5 = Object.create( { toString: { value: __f_7 }, length: { get: __f_7 } });
  __f_5();
}
__f_6();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

ClusterFuzz has detected this issue as fixed in range 39862:39889.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5200295112212480

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (projections[index]) != nullptr in node-properties.cc
  
Regressed: V8: r39823:39838
Fixed: V8: r39862:39889

Minimized Testcase (0.29 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97S6029c8J4fyT4wd141eVB6kD4VtVYjI5r-9TKIFsuWrPzGaFdltfoR2HoKpmEiwGRTYE8FHpbsgeB08tuvBptEQMY6aMzqE0NmDQ_pvxOWdcv95TZDfy6zeKkP2-qgRFHVcoaT4-GnEWYthdjbNUlKjJfIw?testcase_id=5200295112212480
function __f_2 () {
    __f_4();
  function __f_4() {
    try {
      if (inverted) {
        eval();
        __v_1.__p_1150481273 = __v_1[getRandomProperty()];
      }
    } catch(e) {
    }
  }
  var __v_1 = Object.create( { toString: { value: __f_3 }, length: { get: __f_3 } });
}
__f_2();


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz testcase 6096709413502976 is still reproducing on tip-of-tree build (trunk).

Please re-test your fix against this testcase and if the fix was incorrect or incomplete, please re-open the bug. Otherwise, ignore this notification and add ClusterFuzz-Wrong label.