// PTAL. Only repros with always opt. Goes back to:
https://codereview.chromium.org/2549773002

// Minimized:

function __f_0(a) {
  var __v_3 = a + undefined;
  var __v_0 = __v_3.substring(0, 20);
  var __v_1 = {};
  __v_1[__v_3];
  return __v_0;
}
__v_4 = __f_0( "abcdefghijklmnopqrstuvwxyz");
function __f_2() {
  print(__v_4.substring(7, 1));
}
__f_2();

// Output:
# Compared x64,ignition with x64,ignition_turbo_opt
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1474417455 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft
# Flags of x64,ignition_turbo_opt:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1474417455 --ignition-staging --turbo --always-opt --validate-asm
#
# Difference:
- !ûµ¦*
+ Yûµ¦*
#
# Source file:
none
#
### Start of configuration x64,ignition:
!ûµ¦*

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo_opt:
Yûµ¦*

### End of configuration x64,ignition_turbo_opt

 Issue 686630  seem to reproduce with just ignition_turbo. Will mark as duplicate anyways.

 Issue 686630  has been merged into this issue.

Both configurations (i.e. "ignition" and "ignition_turbo_opt") actually produce the wrong result.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/9ea3e56bd9e5c9204aad58a17ba464247358d51e

commit 9ea3e56bd9e5c9204aad58a17ba464247358d51e
Author: jkummerow <jkummerow@chromium.org>
Date: Mon Jan 30 18:17:52 2017

ThinStrings: fix CodeStubAssembler::SubString

BUG= chromium:685965 

Review-Url: https://codereview.chromium.org/2660123002
Cr-Commit-Position: refs/heads/master@{#42782}

[modify] https://crrev.com/9ea3e56bd9e5c9204aad58a17ba464247358d51e/src/code-stub-assembler.cc
[add] https://crrev.com/9ea3e56bd9e5c9204aad58a17ba464247358d51e/test/mjsunit/regress/regress-crbug-685965.js

Agree with #5. Sorry for not updating the bug earlier, I focused on creating the fix instead ;-)

ClusterFuzz has detected this issue as fixed in range 42781:42782.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5242327900880896

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_turbo_opt
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: 6df
  
Sanitizer: address (ASAN)

Regressed: V8: 42502:42503
Fixed: V8: 42781:42782

Minimized Testcase (0.47 Kb):
Download: https://cluster-fuzz.appspot.com/download/AMIfv97anp2mD9yHL0ku_bSqK6h1pb-C-IoJHBIkja9eYZoCS9fSx_EEIV2R9HJLD_VDazpnkIFAGX2w9DAVHcqSWxFW8Y9FlE-bKQ8d1BmVClDdYx4rLEl8nORp-3PSLv0x2l0DBdJUu4yReVPr1GVOXB2NEIbgJzuZZX0W1T7597bPsqAkXXXLmb9wvg8W9d3S0sYKFl0u0p1NE19x6VjpfOC9KLtj2qR2VkS6Ef3yh3y6vOQtRfY0Av9FtLag78UxoR7p8DfaKHTWd79uiQdPgklGbouzd73cv7lCTAgT3xkmM70D9M3lW8BoejOyI3HiKq3owBmOCJU-rQuPQeOI4oU45CSCK8XsyjGrGP8-oxvYM7KoeB4?testcase_id=5242327900880896
__PrettyPrint = function __PrettyPrint() {
  switch (typeof value) {
  }
}
assertEquals = function assertEquals(expected, found) { print(found); };
print("v8-foozzie source: /v8/test/mjsunit/thin-strings.js");
function __f_0(a, b) {
  var __v_3 = a + b;
  var __v_0 = __v_3.substring(0, 20);
  var __v_1 = {};
  __v_1[__v_3];
  return __v_0;
}
__v_4 = __f_0( "abcdefghijklmnopqrstuvwxyz");
function __f_2(__v_3) {
  assertEquals("________", __v_3.substring(0, 8));
}
__f_2(__v_4);


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.