CF points to 5f5300a61bfe51bb1ef9b5ca8709db38ce81b37d

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/cb9d0fe7f4789dc5c471fcb092457efc503bd2e4

commit cb9d0fe7f4789dc5c471fcb092457efc503bd2e4
Author: rmcilroy <rmcilroy@chromium.org>
Date: Fri Dec 16 10:44:50 2016

[Complier] Only optimize a function marked for tier-up if it is compiled.

When mark-shared-funtion-for-tier-up is enabled, a function could be marked for
optimization, then the baseline (FCG) code is flushed by the GC. The next time
the function is executed, we shouldn't optimize the code if there isn't
baseline code.

BUG= chromium:673242 

Review-Url: https://codereview.chromium.org/2575333003
Cr-Commit-Position: refs/heads/master@{#41751}

[modify] https://crrev.com/cb9d0fe7f4789dc5c471fcb092457efc503bd2e4/src/compiler.cc
[add] https://crrev.com/cb9d0fe7f4789dc5c471fcb092457efc503bd2e4/test/mjsunit/regress/regress-673242.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/cb9d0fe7f4789dc5c471fcb092457efc503bd2e4

commit cb9d0fe7f4789dc5c471fcb092457efc503bd2e4
Author: rmcilroy <rmcilroy@chromium.org>
Date: Fri Dec 16 10:44:50 2016

[Complier] Only optimize a function marked for tier-up if it is compiled.

When mark-shared-funtion-for-tier-up is enabled, a function could be marked for
optimization, then the baseline (FCG) code is flushed by the GC. The next time
the function is executed, we shouldn't optimize the code if there isn't
baseline code.

BUG= chromium:673242 

Review-Url: https://codereview.chromium.org/2575333003
Cr-Commit-Position: refs/heads/master@{#41751}

[modify] https://crrev.com/cb9d0fe7f4789dc5c471fcb092457efc503bd2e4/src/compiler.cc
[add] https://crrev.com/cb9d0fe7f4789dc5c471fcb092457efc503bd2e4/test/mjsunit/regress/regress-673242.js

ClusterFuzz has detected this issue as fixed in range 41750:41751.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4621172286423040

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  shared->is_compiled() in compiler.cc
  
Regressed: V8: r41208:41209
Fixed: V8: r41750:41751

Minimized Testcase (0.40 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv970BCGng49xLKMnXY19GKN1BAxhXUQlKvMJaHJJuqN48_HRNVzdpa43f9EIqufW4psbIETJQh_XztvbGoZyNvIg8Hm27mRiWr_TVPUOq-bUGJyw5GiTFECjQGLTNL9D3Q8x_RnW74QorEkMBKi5Jsi59JpSIQ?testcase_id=4621172286423040
function nop() {}
try { gc; } catch(e) { gc = nop; }

(function() {
  var __v_1 = 0;
  for (var __v_0 = 5; __v_0 < 1073741824; ++__v_0) {
    var __v_2 = function() {
    }
    __v_1 += __v_2();
    if (nop() == 4) {
      return;
    }
    if (__v_0 == 1) {
      assertEquals( nop());
      nop();
    }
  }
})()

try {
try {
  __f_0();
} catch (e) {}
} catch(e) { print("Caught: " + e); }
function __f_4() {
}



See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.