Reduced repro ...

// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function g(v) {
  v.constructor.hasOwnProperty()
}

g({});
g({});

function f() {
  var i = 0;
  do {
    i = i + 1;
    g(i);
  } while(i < 1);
}

%OptimizeFunctionOnNextCall(f);
f();

Awesome, a classic one again:

...
movq rax,0x100000000
cmpq [rax-0x1],rbx
...

Spot the bug... :-)

Can be further reduced to:

----------------------------------------------------------------
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function g(v) { return v.constructor; }

g({});
g({});

function f() {
  var i = 0;
  do {
    i = i + 1;
    g(i);
  } while (i < 1);
}

%OptimizeFunctionOnNextCall(f);
f();
----------------------------------------------------------------

Problem seems to be that we do not rename on CheckHeapObject for the following CheckMaps, and CheckMaps says it's fine to have MachineRepresentation::kTagged for the receiver, thus SimplifiedLowering yields a NumberConstant[1].

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a758c19761ce6722836363ab9a5ed4437897197c

commit a758c19761ce6722836363ab9a5ed4437897197c
Author: bmeurer <bmeurer@chromium.org>
Date: Mon Nov 07 08:41:07 2016

[turbofan] Properly rename receiver on CheckHeapObject.

We need to rename the receiver on CheckHeapObject, because we
don't canonicalize numbers in SignedSmall range, and thus we
the representation selection can hand out TaggedSigned values
for receiver uses, even though we checked for TaggedPointerness
first.

Note that this is rather hacky and just intended to fix the bug
ASAP. We need to think about how to deal with representations in
earlier compilation stages.

BUG= chromium:662410 
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2485563002
Cr-Commit-Position: refs/heads/master@{#40792}

[modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-builtin-reducer.cc
[modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-call-reducer.cc
[modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-inlining.cc
[modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-native-context-specialization.cc
[modify] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/src/compiler/js-native-context-specialization.h
[add] https://crrev.com/a758c19761ce6722836363ab9a5ed4437897197c/test/mjsunit/regress/regress-crbug-662410.js

ClusterFuzz has detected this issue as fixed in range 40786:40793.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4615755334418432

Fuzzer: mbarbella_js_mutation
Job Type: linux_v8_d8_tot
Platform Id: linux

Crash Type: UNKNOWN READ
Crash Address: 0x0000ffffffff
Crash State:
  v8::internal::Invoke
  v8::internal::Execution::Call
  v8::Script::Run
  
Regressed: V8: r40719:40739
Fixed: V8: r40786:40793

Minimized Testcase (0.64 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94R_rU7FGDYg63vtDo1uWE7FMDqvJgIfk2EvaWl2GSnCQY5wNLsRWS5mWyAUGK78NIVfKS84svYmMEjWD8SlDGwL2Fu8lkzc3B-5TVSZKVGOJurx8h-k0YIyvMwWCZDv3h7uU0RtgIUheeFr3uEScxO97SBkQ?testcase_id=4615755334418432

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot