Bisects to ae459356468ae81955a1298acd255794ac901b4c. Triggers a CSA assertion. Reproduces on other architectures (e.g. I tried x64) as well.

The new DCHECKs are flushing out some issues. This one is another unintended shape change, where we fetch the map, call ToString (possibly mutating the regexp), and then use the original map to perform fast path checks.

Restricting access since this one is similar to  crbug.com/708247 . 

CL in flight at https://codereview.chromium.org/2807153002/.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/db61537afcbc4ed1914152aad302a9788bc80d0f

commit db61537afcbc4ed1914152aad302a9788bc80d0f
Author: jgruber <jgruber@chromium.org>
Date: Mon Apr 10 14:57:55 2017

[regexp] Avoid side effects between map load and fast path check

Loading the map, performing a side-effect, and then using the stored
pointer for the fast-path check is another antipattern that can lead to
unintended shapes on the fast path.

BUG= chromium:709029 

Review-Url: https://codereview.chromium.org/2807153002
Cr-Commit-Position: refs/heads/master@{#44528}

[modify] https://crrev.com/db61537afcbc4ed1914152aad302a9788bc80d0f/src/builtins/builtins-regexp-gen.cc
[modify] https://crrev.com/db61537afcbc4ed1914152aad302a9788bc80d0f/src/builtins/builtins-regexp-gen.h
[add] https://crrev.com/db61537afcbc4ed1914152aad302a9788bc80d0f/test/mjsunit/regress/regress-709029.js

This bug requires manual review: We are only 13 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

ClusterFuzz has detected this issue as fixed in range 44527:44528.

Detailed report: https://clusterfuzz.com/testcase?key=5021869335117824

Fuzzer: v8_builtins_generator
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  pc_->Mask(ExceptionMask) == HLT in simulator-arm64.cc
  
Sanitizer: address (ASAN)

Regressed: V8: 44427:44428
Fixed: V8: 44527:44528

Reproducer Testcase: https://clusterfuzz.com/download/AMIfv95InwGpJ8GCDZeGHPQ2XIwC_riHH0_3dDtrfctflupbxDA7r6XCx3hJrzHr2J8SPh29-k4Tz7Vtcc6GJwmZhz96hSRCrCIltLRWsfotvP1ZgdoD01q61blqN3jlnaSZNW9JdaJtDqG4CRaaRQ1IgqC6MDA5kwdTJMnJEs6m9_Y46CRmHc-skJvm0CJ_z8VhfZG_-bU9jdq6s63NeJVon4DdPtbIBf-SZ_B-54YZGGj1fJgQ-5hWiK5KsDd4tAiGvyf_xlJF1Lu8kVNHuT5SQ9jN4LDl5r6qn-qrRGvtAHSxnY6teCovSz06Y1a0ngbPuIpa_ypFuLXjs4y_ASvG0Hmn8EOwnV9gB6IRkUVfyplknTDCSN18cZHrQTNhqhJ6SuDMIaz-JQOX6tmwHiXbx0unXM_VUg?testcase_id=5021869335117824


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5021869335117824 is verified as fixed, so closing issue.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

+awhalley@ for M58 merge review

Looks good for 58.

This bug requires manual review: We are only 10 days from stable.
Please contact the milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), bhthompson@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Approving merge to M58 branch 3029 based on comment #11. Please merge ASAP. Thank you.

+adamk@, as I think Germany might be off for Easter :-)

This isn't a clean merge, and the previous related merges seem to have been backported by hand in https://codereview.chromium.org/2808023002. I'd rather see if we can wait for jgruber@ to handle this on Tuesday (if that's not too late).

If merge gets in by 5:00 PM PT Monday (04/17) will be good. 

Thanks +adamk@! Tuesday might be too late for the first spin, but we could pick it up if we update.

CL in flight here: https://codereview.chromium.org/2818683005/

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5c39a615569250e40414dcdb7a6d60a326c51ebb

commit 5c39a615569250e40414dcdb7a6d60a326c51ebb
Author: jgruber <jgruber@chromium.org>
Date: Mon Apr 17 16:22:54 2017

[regexp] Avoid side effects between map load and fast path check

Loading the map, performing a side-effect, and then using the stored
pointer for the fast-path check is another antipattern that can lead to
unintended shapes on the fast path.

Backmerge of commit db61537afcbc4ed1914152aad302a9788bc80d0f.

BUG= chromium:709029 
TBR=yangguo@chromium.org
NOPRESUBMIT=true
NOTRY=true

Review-Url: https://codereview.chromium.org/2818683005
Cr-Commit-Position: refs/branch-heads/5.8@{#67}
Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1}
Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429}

[modify] https://crrev.com/5c39a615569250e40414dcdb7a6d60a326c51ebb/src/builtins/builtins-regexp.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot