Points to https://chromium.googlesource.com/v8/v8/+log/daad4319c960b714c270b2c603b1f03bbc6ade14..a14f22818851558ec51f04f5fa3396e242f10b78?pretty=fuller

PTAL

Sorry, can't get the repro any smaller. Very sensitive to any line I try to change.

IMO the ignition baseline looks wrong, and the turbofan case looks alright, though.

PTAL Ross. It looks like the turbofan case is correct here. When run in d8, it only repros if all js files are passed (I assume it needs certain properties in the global object). Put the minimized repro into repro.js and run from V8 root folder with an x64 release build:

out.gn/x64.release/d8 --abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft tools/foozzie/v8_mock.js tools/foozzie/v8_suppressions.js ./repro.js

-> the last print statement doesn't get executed.

ClusterFuzz has detected this issue as fixed in range 42965:42966.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5923777847492608

Fuzzer: foozzie_js_mutation
Job Type: foozzie_ignition_turbo
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo
  sources: f45
  
Sanitizer: address (ASAN)

Regressed: V8: 42804:42805
Fixed: V8: 42965:42966

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv95dpPwg3dVlX-gVFLpNCmwYMo6tfHXYKYALQW75N2f7Ho8-zpElLBhFdGIU-vHfIl_Eg05LYzEx8_HzWM9rEhn2_ebRNmtqp0J3FcwA7gCWosZ4D8CgmmleJFsQ68sLPCedOCxQB2QIZ2hTx1dpFjGPKCAUG5MrRgcSnYoI61pw6abHh8OR981eK5K78SboGHyGGY8CmvovYzxFH7H7CAUtDQhmsP9Ba-b9wdd1gf5FlgDYxSfsV-c4lC9rUhAl6RBTj7Gviae9gERr2yC9aaJaJP9IogsduiiF1yaONf1XyJPBhwrxkG2zGFaqxLBHVJ8MHmJUNi1nYE5wYlxDQa2FUGkeWakjSZEiiFBFCMTX6Ha9NKM?testcase_id=5923777847492608


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5923777847492608 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This was very likely wrongly closed as one of the mock files changed the global object in the mean time.

I invested a bit time to get a better repro of this on ToT. I take back that it might be ignition's fault. Looking closer, the turbofan variant might be wrong. Here are pure d8 repros:

// Program repro.js:
var v = {};
var other = {};
function foo(thing) {
  var s = v[thing];
  v.__defineGetter__("print", function() { return s; });
}

foo("other");
v = this;
foo("printErr");
%OptimizeFunctionOnNextCall(foo);
foo("other");

print();

// Output with ignition:
d8 --allow-natives-syntax --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --nocrankshaft repro.js
/usr/local/google/home/machenbach/v8/v8/repro.js:17: TypeError: print is not a function
print();
^
TypeError: print is not a function
// End of output

// Output with ignition_turbo:
d8 --allow-natives-syntax --random-seed 1234 --ignition-staging --turbo --validate-asm repro.js

// End of output

This seems to work with all kinds of properties of the global object like so:

var v = {};
var other = {};
function foo(thing) {
  var s = v[thing];
  v.__defineGetter__("Worker", function() { return s; });
}

foo("other");
v = this;
foo("print");
%OptimizeFunctionOnNextCall(foo);
foo("other");

Worker();

Most likely a dupe of  issue 694416 .

Confirmed it was a dupe. Now fixed after fix of  issue 694416  was in.

We have made a bunch of changes on ClusterFuzz side, so resetting ClusterFuzz-Wrong label.