// PTAL. Repros with ignition/ignition_turbo. Cant get it smaller than this:

var a = {};
a = [];
for (var __v_1 = 0; __v_1 < 10000; __v_1++) {
  if ((__v_1%10000) == 0)
    a.length = 0;
  a.push({});
}
a.map(function() {})  + "";
function __f_6(t) {
  a.push([t[a]]);
  a.push([t[a]]);
  a.push([t[a]]);
  a.push([t[a]]);
}
function __f_19() {
 __f_6({});
 __f_6({});
 __f_6({});
  %OptimizeFunctionOnNextCall(__f_6);
 __f_6({});
 __f_6({});
}
__f_19();
for (var i = 0; i < a.length; i++) {
  if( typeof a[i] != "object") {
    print("Found " + a[i] + " at " + i)
  }
}

// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft
# Flags of x64,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition-staging --turbo --validate-asm
#
# Difference:
+ Found undefined at 10019
#
# Source file:
none
#
### Start of configuration x64,ignition:

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
Found undefined at 10019

### End of configuration x64,ignition_turbo

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e752bcc216384e496ee5eaaebd29f34d7182b517

commit e752bcc216384e496ee5eaaebd29f34d7182b517
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Jan 26 12:57:04 2017

[turbofan] Ensure {CheckMaps} is not used accross mutations.

This makes sure that static guarantees about object maps are not used
accross operations on the effect chain that might trigger a map change.
Such operations are missing the {Operator::kNoWrite} property.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-685506
BUG= chromium:685506 

Review-Url: https://codereview.chromium.org/2653273004
Cr-Commit-Position: refs/heads/master@{#42697}

[modify] https://crrev.com/e752bcc216384e496ee5eaaebd29f34d7182b517/src/compiler/js-builtin-reducer.cc
[add] https://crrev.com/e752bcc216384e496ee5eaaebd29f34d7182b517/test/mjsunit/regress/regress-crbug-685506.js

ClusterFuzz has detected this issue as fixed in range 42696:42697.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=6627138234220544

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_turbo
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: 1c7
  
Sanitizer: address (ASAN)

Regressed: V8: 42658:42659
Fixed: V8: 42696:42697

Minimized Testcase (0.77 Kb): https://cluster-fuzz.appspot.com/download/AMIfv94pQ-6oY8i-2-cZOU26zmZz-dxrDHaLnkm55T7wEaLjWZA3xCChfJcdKlEXo5unCI2zprYPonam8DeWuzORRaut44u7W47RaORjwYG0VUmeGgtycgR0cMHuJcOqZCE37adYIWUW40wvmmFet5QhxXPNCKW2YLdj7tUDC1nwzXDUfAoMb9_oUJ_A_cNaFp9ld_L6U2EGdCfmnuJoy77xON5Cwl4-9QIOB8zipru-q4VuFYsDQ-HsmCGfTtAiBQEThHHXnyGH38M9mOGX0yXcNTCUc-mlGALC_NdAwOCpvEpKu2hZuVUqSwRVzFVPU1XXAlCEIv2GtYfdsnm61KEkDUrGbaGm5yz4PZbYCa-PcSLSUKC4jAw?testcase_id=6627138234220544

See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.