Michael, bisects to your CL.

Seems to be related to inlining a function that contains a tail-call. The following is the reduction I am currently working with ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --expose-gc --harmony-tailcalls --ignition-staging --turbo --always-opt

function f1(o, extra) {
  "use strict";
  return Reflect.set(o);
}
function g() {
  gc();
  var p = new Proxy({}, {});
  function f2() { return f1(p) }
  p.__defineGetter__("x", f2);
  p.x;
};
g();
g();

Unrelated to inlining. This is the further reduced repro ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --harmony-tailcalls --ignition-staging --turbo

function f(o, extra) {
  "use strict";
  return Reflect.set({});
}
function g() {
  function h() { return f() + 1 }
  h();
};
g();
%OptimizeFunctionOnNextCall(f);
g();

This was introduced by 6d51bab3d227bdc1d0910776fcd5b3f72948da02 originally. I have another repro which doesn't require Ignition at all where the tail call within {f} causes the stack-pointer to be bumped by one slot on every call due to an off-by-one. Ignition is just really good at discovering that the stack-pointer is off and flushes this out. Will cook up a fix tomorrow.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/2ab2ec224324d0a9e59e100d53a55394dc57ea12

commit 2ab2ec224324d0a9e59e100d53a55394dc57ea12
Author: mstarzinger <mstarzinger@chromium.org>
Date: Wed Oct 26 12:48:42 2016

[turbofan] Disable bogus lowering of builtin tail-calls.

The TurboFan backends currently don't support tail-calls to CPP builtins
because the semantics of kJavaScriptCallArgCountRegister has different
semantics for stub call descriptors versus JavaScript call descriptors.
This is actually a short-coming of the backends and follow-up work will
make the backends more robust in that regard to fail hard on unsupported
constructs like that. This just disables the lowering creating such a
tail-call.

R=bmeurer@chromium.org
BUG= chromium:658691 
TEST=mjsunit/regress/regress-crbug-658691

Review-Url: https://codereview.chromium.org/2447383002
Cr-Commit-Position: refs/heads/master@{#40590}

[modify] https://crrev.com/2ab2ec224324d0a9e59e100d53a55394dc57ea12/src/compiler/js-typed-lowering.cc
[add] https://crrev.com/2ab2ec224324d0a9e59e100d53a55394dc57ea12/test/mjsunit/regress/regress-crbug-658691.js

ClusterFuzz has detected this issue as fixed in range 40589:40590.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5788147842809856

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: Stack-overflow
Crash Address: 0x7ffe78ae2638
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::internal::Object::GetPropertyWithDefinedGetter
  
Regressed: V8: r39438:39439
Fixed: V8: r40589:40590

Minimized Testcase (0.68 Kb): https://cluster-fuzz.appspot.com/download/AMIfv96IMgleruTXg60QQ8MNakHANRoa9PJp_D05M_yAc643Muh6S_TrXHEEPLT84BVYxi36sO_MxPyBefcEyDl4RLHG8hC-uQmOrHqJxtHG9inpEEK-LKQLsUidwZcKqtRGMFzdrvFOWFkvyzDmtq0o3EMVbSvyTQ?testcase_id=5788147842809856

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot