Through code search on file deoptimizer.cc, suspected CL is

https://chromium.googlesource.com/v8/v8/+/c29a4560bb548fa0ebeec8262f9d6fca9d50fe7a%5E%21/src/deoptimizer.cc

ishell@, could you please take a look and reassign if it is not related your changes.

Inlining into try blocks has issues (https://codereview.chromium.org/2460333002).
Reproduces on ToT.

Deopt fu required. Jaro, please take a look.

Simple repro (with --allow-natives-syntax --turbo). 

This seems to be again a problem with the difference between the stack created by the deoptimizer and the stack we would create by running the bytecode.

In this case, it looks like the unwinder gets a different sp-fp difference and constructs a bigger interpreter frame (which in turn confuses the deoptimizer when we optimize-osr and deoptimize).

function f() {
  %_DeoptimizeNow();
  throw 1;
}

function h() {
  try { f(); } catch(e) { }

  for (var j = 0; j < 3; ++j) if (j === 1) %OptimizeOsr();
  %_DeoptimizeNow();
}

%OptimizeFunctionOnNextCall(h);
h();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/a90671f1b9674e39dd6ad52de187a97b23525a77

commit a90671f1b9674e39dd6ad52de187a97b23525a77
Author: mstarzinger <mstarzinger@chromium.org>
Date: Tue Nov 22 11:28:19 2016

[interpreter] Fix stack unwinding of deoptimized frames.

This fixes stack unwinding to always recompute the stack pointer for
interpreted frames. For frames materialized by the deoptimizer we elide
the handler frame in between, hence arguments being pushed on the stack
will no longer be pushed into the handler frame but into the interpreted
frame directly.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-662830
BUG= chromium:662830 

Review-Url: https://codereview.chromium.org/2517203003
Cr-Commit-Position: refs/heads/master@{#41170}

[modify] https://crrev.com/a90671f1b9674e39dd6ad52de187a97b23525a77/src/isolate.cc
[add] https://crrev.com/a90671f1b9674e39dd6ad52de187a97b23525a77/test/mjsunit/regress/regress-crbug-662830.js

Fixed. We probably want to merge that to 5.6 once it had sufficient backing time.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 41169:41170.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4600883070631936

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_ignition_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  fixed_size_above_fp + (stack_slots * kPointerSize) - CommonFrameConstants::kFixe
  
Regressed: V8: r40664:40665
Fixed: V8: r41169:41170

Minimized Testcase (0.36 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv95sf0SWn5_Zb4i6kRZE8vlGNES3ohpyPW_YD-WDU___Z1Sw28zyjZ6ukScoTQrPxsj82cQPqhnp-tHumaQm1PKmCu1pXMlF9gK-DwIjSF0CeHRYuaXvvlbUxUSRLyYUc1hTLtA22W362BfzZJgi-d-gKl3FUQ?testcase_id=4600883070631936
"use strict";
var __v_5 = {};
var __v_14 = {};
for (var __v_0 = 0; __v_0 < 1e6; __v_0++) {
}
function __f_1() {
  __f_2.arguments;
}
function __f_2() {
  __f_1();
}
function __f_3() {
  __f_2();
}
try {
; __f_3(); __f_3();
} catch(e) {; }
    var __v_6 = 100*1000;
    for (var __v_4 = 1; __v_4 != __v_6; ++__v_4)
      __v_5[__v_4] = __v_4;
__v_14 = function() {
};


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Your change meets the bar and is auto-approved for M56 (branch: 2924)

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

M56 Beta promotion is scheduled on Dec 6 & RC cut on Monday, Dec 5 @ 4.00 PM PST.Please ensure to verify the fix and merge your change ASAP so that we could take it for next Release.

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e016eccafcfe073f338162fa9a3bb67719371047

commit e016eccafcfe073f338162fa9a3bb67719371047
Author: Michael Starzinger <mstarzinger@google.com>
Date: Mon Dec 05 10:03:02 2016

Merged: [interpreter] Fix stack unwinding of deoptimized frames.

Revision: a90671f1b9674e39dd6ad52de187a97b23525a77

BUG= chromium:662830 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/2551853002 .

Cr-Commit-Position: refs/branch-heads/5.6@{#28}
Cr-Branched-From: bdd3886218dfe76e8560eb8a18401942452ae859-refs/heads/5.6.326@{#1}
Cr-Branched-From: 879f6599eee6e1dfcbe9a24bf688b261c03e9558-refs/heads/master@{#41014}

[modify] https://crrev.com/e016eccafcfe073f338162fa9a3bb67719371047/src/isolate.cc
[add] https://crrev.com/e016eccafcfe073f338162fa9a3bb67719371047/test/mjsunit/regress/regress-crbug-662830.js