// PTAL. Ignition vs. turbofan is enough, no always opt needed. Points to:
https://chromium.googlesource.com/v8/v8/+/9df5674bd53b4a262e72f45263df9e886842c269

function foo() {
  print(Array.prototype.reduceRight.call(__v_4, function () { }));
}
try {
  foo();
} catch(e) {}

var __v_4 = {};
%OptimizeFunctionOnNextCall(foo);
foo();

// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo-filter=~ --hydrogen-filter=~ --nocrankshaft
# Flags of x64,ignition_turbo:
--abort_on_stack_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed 732681078 --ignition --turbo
#
# Difference:
- ./repro.js:2: TypeError: Reduce of empty array with no initial value
+ undefined
#
### Start of configuration x64,ignition:
./repro.js:2: TypeError: Reduce of empty array with no initial value
  print(Array.prototype.reduceRight.call(__v_4, function () { }));
                                    ^



### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
undefined

### End of configuration x64,ignition_turbo

 Issue 708282  has been merged into this issue.

 Issue 708599  has been merged into this issue.

 Issue 709173  has been merged into this issue.

Any ETA for this? This spits out so many noisy duplicates.

 Issue 709747  has been merged into this issue.

danno@ is working on porting the Array builtins, which fixes this problem. 

 Issue 707065  has been merged into this issue.

 Issue 710417  has been merged into this issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/d98dfd8b9b68635c3b974e1d91be414304dec35c

commit d98dfd8b9b68635c3b974e1d91be414304dec35c
Author: bmeurer <bmeurer@chromium.org>
Date: Wed Apr 12 04:32:05 2017

Revert "[turbofan] Avoid going through ArgumentsAdaptorTrampoline for CSA/C++ builtins."

This reverts commit 9df5674bd53b4a262e72f45263df9e886842c269 because it
is not compatible with the way that Array.prototype.reduceRight and
Array.prototype.reduce deal with optional parameters at this point (i.e.
parameters where the behavior is different depending on whether the
parameter was skipped or undefined was passed).

In general, it might be better to not adapt arguments for builtins with
optional paramters, that are likely skipped, for example as in
Object.create or Array.prototype.reduce. Since that will require
arguments adaptor frames for normal calls, especially from baseline
code. Instead it might make sense to use the variadic arguments support
in the CodeStubAssembler instead to avoid the arguments adaptor in all
cases (not only when called from TurboFan optimized code).

BUG=v8:5267, chromium:709782 , chromium:707992 , chromium:708282 , chromium:708599 , chromium:709173 , chromium:709747 , chromium:707065 , chromium:710417 
TBR=danno@chromium.org

Review-Url: https://codereview.chromium.org/2817653002
Cr-Commit-Position: refs/heads/master@{#44593}

[modify] https://crrev.com/d98dfd8b9b68635c3b974e1d91be414304dec35c/src/compiler/js-call-reducer.cc

ClusterFuzz has detected this issue as fixed in range 44592:44593.

Detailed report: https://clusterfuzz.com/testcase?key=5922615329030144

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,ignition_turbo_opt
  sources: 90d
  
Sanitizer: address (ASAN)

Regressed: V8: 44217:44218
Fixed: V8: 44592:44593

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv94BYGha2VQlAg4NJ9JeJDWFC961SNWjUXTI_-gEUEhfAy5bARJkmg2ScKIU7yHIlbHzgDJ9yPN3mnFQfwsjRvMSBpHN07k_YKiSJNZz8Bk9l8kq6oxf2caNx7cwKO36RbymuPD68OYwHdNvyh9CuR11nXcNWGu5rKxZYCELY7gaQZbT8s9Rad9yiTcwYNHqtnG1p8OJDveuhvG0LEzQjGkCqCmdJgm9kWiM5xcGMBlpNK5t907N-IbB1xKoGw02pqH4CP9j4LhtphfJZHBIhnadHuaUk3ZeTNv_6f6m4WUGlQZ0AnwMBnpyv-A3cdSzFh0TgR027OBMsANOkPgWCRxbJSPXjRize4Zejo5icFm-8xpYIGWWHoKcJ2fG0zqKxX2Pwxy2p83DtQq49e3wbYq57LlFBQ?testcase_id=5922615329030144


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ddf03166c01372d8da269cfaa00188e3113465ce

commit ddf03166c01372d8da269cfaa00188e3113465ce
Author: Michael Hablich <hablich@chromium.org>
Date: Thu Apr 13 12:23:05 2017

Merged: Revert "[turbofan] Avoid going through ArgumentsAdaptorTrampoline for CSA/C++ builtins."

Revision: d98dfd8b9b68635c3b974e1d91be414304dec35c

BUG= chromium:707065 , chromium:707992 , chromium:708282 , chromium:708599 , chromium:709173 , chromium:709747 , chromium:709782 , chromium:710417 ,v8:5267
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
TBR=bmeurer@chromium.org

Change-Id: I2363c9012d7107e5e246d46bf6938bead642b486
Reviewed-on: https://chromium-review.googlesource.com/476351
Reviewed-by: Michael Hablich <hablich@chromium.org>
Cr-Commit-Position: refs/branch-heads/5.9@{#4}
Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1}
Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591}
[modify] https://crrev.com/ddf03166c01372d8da269cfaa00188e3113465ce/src/compiler/js-call-reducer.cc