// PTAL. Repros only with turbo_opt. Bisects to:
https://chromium.googlesource.com/v8/v8/+/36ed494784706c3c573c7d5fdd61d93a33dcb91a 


try {
  throw 'catch';
} catch (v) {
  function foo() { return v; }
  foo();
  v = 'global';
}
print(foo());

// Output:

# Compared x64,ignition with x64,ignition_turbo_opt
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition --turbo-filter=~ --hydrogen-filter=~ --validate-asm --nocrankshaft
# Flags of x64,ignition_turbo_opt:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 1234 --ignition-staging --turbo --always-opt --validate-asm
#
# Difference:
- global
+ catch
#
# Source file:
none
#
### Start of configuration x64,ignition:
global

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo_opt:
catch

### End of configuration x64,ignition_turbo_opt

When Turbofan sees variable v in "return v", this variable says it's never assigned, which is incorrect.  However, the information in the original scope correctly says v is assigned.  This seems to be an issue with lazy parsing as it works correctly when passing --nolazy.  Marja, could you have a look?

Looking...

This is weird; it indeed works with --nolazy, but but.. what's inside the lazy function doesn't even affect the maybe-assignedness of the variable. So there's something weird going on...

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/78d9d5b51aa2199e053e61e38e8284efcb0bc8e3

commit 78d9d5b51aa2199e053e61e38e8284efcb0bc8e3
Author: Georg Neis <neis@chromium.org>
Date: Wed Mar 01 08:45:46 2017

[ast] Fix bug in deserialization of catch scopes.

The maybe-assigned flag of the catch variable was not preserved.

BUG= v8:5636 , chromium:696332 

Change-Id: I9c55e1b1312bdebc53bc45bc3ca1c982bdbe9846
Reviewed-on: https://chromium-review.googlesource.com/447680
Reviewed-by: Marja Hölttä <marja@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#43506}
[modify] https://crrev.com/78d9d5b51aa2199e053e61e38e8284efcb0bc8e3/src/ast/scopes.cc
[modify] https://crrev.com/78d9d5b51aa2199e053e61e38e8284efcb0bc8e3/src/ast/scopes.h
[add] https://crrev.com/78d9d5b51aa2199e053e61e38e8284efcb0bc8e3/test/mjsunit/regress/regress-696332.js

ClusterFuzz has detected this issue as fixed in range 43505:43506.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4692699140849664

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: 431
  
Sanitizer: address (ASAN)

Regressed: V8: 43107:43108
Fixed: V8: 43505:43506

Reproducer Testcase: https://cluster-fuzz.appspot.com/download/AMIfv96pDX3tThUTbtYKAQ7QVP5YwQbzpuuiHjufr9gJ9ni_6yBf6inYTEloFiVsZdYZTzJ5SwEcG5GNzy8s2PN_142ZV97-fNqxQ9mO1BMk8YfeTVwcuGO3wdyowl1wheybXI_06geRP2ALuXDPGPYPJYbpMuGiY7lJjj2wkP4B8viQTCXQXP8zeFAmXHKuiiZ0lHRupXsCAWdWNNFhwpHOkcaD2Be1988Dge_MIU3UAngWPqxSmKWy-PnLKc-y71-IR-lbnWAK9pRxRRJFR_8ZUCPS0wAgLrqFnLCeyqg_qqMnhYJ6-CF_p1wmxtqxC-kDugasYT6UhWK5UKaxCLlwqPCXRfmvZkp62nNcfbjZ3_h4LbNJKNY?testcase_id=4692699140849664


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.