Benedikt, can you take a look?

Bisects to https://chromium.googlesource.com/v8/v8/+log/0e03973047d33a93e8888bd4fe97330dbcf61a18..29dd7fc5ed2490947bd951efa7d49e54c41dfbdc?pretty=fuller

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a4f37da86f428de5ee75a6a093416f35d5561150

commit a4f37da86f428de5ee75a6a093416f35d5561150
Author: bmeurer <bmeurer@chromium.org>
Date: Wed Oct 12 07:00:33 2016

[turbofan] Respect ConsString invariant.

For ConsString, the left hand side must be either sequential or external
if the right hand side is empty.

R=jarin@chromium.org
BUG= chromium:654723 
NOTRY=true

Review-Url: https://codereview.chromium.org/2410893003
Cr-Commit-Position: refs/heads/master@{#40192}

[modify] https://crrev.com/a4f37da86f428de5ee75a6a093416f35d5561150/src/compiler/js-typed-lowering.cc
[add] https://crrev.com/a4f37da86f428de5ee75a6a093416f35d5561150/test/mjsunit/regress/regress-crbug-654723.js

ClusterFuzz has detected this issue as fixed in range 40191:40192.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5836684157779968

Fuzzer: decoder_langfuzz
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  this->first()->IsSeqString() || this->first()->IsExternalString() in objects-deb
  
Regressed: V8: r39539:39540
Fixed: V8: r40191:40192

Minimized Testcase (5.79 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96nCwJPM_ZlMBRcGj6T1DPcGEGFzbSrrb9GIpc3ePcOeWc1mdcunV4SDVe00esmLHZKI02T3-DaW-oHt4TNR6DTAb3FuJ9PPz5wRD7JAKAEOeM6SluFoJJ_iQKZ2pJTnBYdfMFOxg3KSFBarmRmoz1KbhMKwQ?testcase_id=5836684157779968

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase is verified as fixed, closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

Your change meets the bar and is auto-approved for M55 (branch: 2883)

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f8abba30232f9968997ea9cfc78d74a50a7abe8b

commit f8abba30232f9968997ea9cfc78d74a50a7abe8b
Author: Benedikt Meurer <bmeurer@google.com>
Date: Fri Oct 14 03:51:16 2016

Merged: [turbofan] Respect ConsString invariant.

Revision: a4f37da86f428de5ee75a6a093416f35d5561150

BUG= chromium:654723 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=jarin@chromium.org

Review URL: https://codereview.chromium.org/2415343002 .

Cr-Commit-Position: refs/branch-heads/5.5@{#12}
Cr-Branched-From: 3cbd5838bd8376103daa45d69dade929ee4e0092-refs/heads/5.5.372@{#1}
Cr-Branched-From: b3c8b0ce2c9af0528837d8309625118d4096553b-refs/heads/master@{#40015}

[modify] https://crrev.com/f8abba30232f9968997ea9cfc78d74a50a7abe8b/src/compiler/js-typed-lowering.cc
[add] https://crrev.com/f8abba30232f9968997ea9cfc78d74a50a7abe8b/test/mjsunit/regress/regress-crbug-654723.js

Per comment #8, this is already merged to M55. So removing "Merge-Approved-55" label. 

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot