Regression range points to 904e5df567844939a065f558ea338cbdc05eb2cd. But could just be flushing out an existing problem. Feel free to hand back if it's unrelated to the change in question.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/e913f9e3842dbbd3d87a54013f4f93ac723ba735

commit e913f9e3842dbbd3d87a54013f4f93ac723ba735
Author: bmeurer <bmeurer@chromium.org>
Date: Wed Apr 26 09:57:36 2017

[turbofan] Fix buggy implicit coercion in GetMapWitness.

BUG= chromium:715151 
R=jarin@chromium.org

Review-Url: https://codereview.chromium.org/2839873004
Cr-Commit-Position: refs/heads/master@{#44881}

[modify] https://crrev.com/e913f9e3842dbbd3d87a54013f4f93ac723ba735/src/compiler/js-builtin-reducer.cc
[add] https://crrev.com/e913f9e3842dbbd3d87a54013f4f93ac723ba735/test/mjsunit/regress/regress-crbug-715151.js

ClusterFuzz has detected this issue as fixed in range 44880:44881.

Detailed report: https://clusterfuzz.com/testcase?key=6729847402659840

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  (map()->has_fast_smi_or_object_elements() || (elements() == GetHeap()->empty_fix
  
Sanitizer: address (ASAN)

Regressed: V8: 44832:44833
Fixed: V8: 44880:44881

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6729847402659840


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.