Reproduces and bisects to a957b0f42468d632b09574e3d6719c704eebbfea.

 Issue 732156  has been merged into this issue.

Underlying reason is missing materialization of escape analysed JS_GENERATOR_OBJECT_TYPE instance type objects. Jaro is OOO today, I might take a look. The following is a reduced repro ...

function* f([x]) {}
%OptimizeFunctionOnNextCall(f);
f();

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/f555a6922dd1b425ed845370cd01428b3ba46f93

commit f555a6922dd1b425ed845370cd01428b3ba46f93
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Jun 12 11:30:22 2017

[deoptimizer] Add support for materializing Generator objects.

This adds support for materializing objects of {JSGeneratorObject} type
during deoptimization. Cases where soft-deopts remove any escaping use
of the implicit generator object can cause it to be escape analyzed.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-732169
BUG= chromium:732169 

Change-Id: I2ec10b2a509a4f37a456a8ca2fd74b8de2fb55be
Reviewed-on: https://chromium-review.googlesource.com/530847
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45849}
[modify] https://crrev.com/f555a6922dd1b425ed845370cd01428b3ba46f93/src/deoptimizer.cc
[add] https://crrev.com/f555a6922dd1b425ed845370cd01428b3ba46f93/test/mjsunit/regress/regress-crbug-732169.js

This issue is a security regression. If you are not able to fix this quickly, please revert the change that introduced it.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Detailed report: https://clusterfuzz.com/testcase?key=6387498266918912

Fuzzer: inferno_js_fuzzer_c
Job Type: windows_asan_d8
Platform Id: windows

Crash Type: Fatal error
Crash Address: 
Crash State:
  
  v8::platform::PrintStackTrace
  v8::internal::TranslatedState::MaterializeCapturedObjectAt
  v8::internal::TranslatedState::MaterializeAt
  
Sanitizer: address (ASAN)

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6387498266918912


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/b17dee636f5137713bec30972d5653dcec6873b8

commit b17dee636f5137713bec30972d5653dcec6873b8
Author: Michael Starzinger <mstarzinger@chromium.org>
Date: Mon Jun 12 16:27:10 2017

[deoptimizer] Handle Generator object in-object properties.

This adds missing support for in-object properties within objects having
the {JSGeneratorObject} type to materialization during deoptimization.
For corner-cases where the implicit generator object is statically known
not to escape, object layout might still be arbitrarily complex.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-732169
BUG= chromium:732169 , v8:6481 

Change-Id: I32f373913d60af64981dc4ed66873cc8a1dbe872
Reviewed-on: https://chromium-review.googlesource.com/530230
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45870}
[modify] https://crrev.com/b17dee636f5137713bec30972d5653dcec6873b8/src/deoptimizer.cc
[modify] https://crrev.com/b17dee636f5137713bec30972d5653dcec6873b8/test/mjsunit/regress/regress-crbug-732169.js

ClusterFuzz has detected this issue as fixed in range 45848:45849.

Detailed report: https://clusterfuzz.com/testcase?key=5858264175869952

Fuzzer: inferno_js_fuzzer_c
Job Type: linux_asan_d8_v8_arm64_dbg
Platform Id: linux

Crash Type: Ill
Crash Address: 0x7ff6a46242e8
Crash State:
  v8::internal::TranslatedState::MaterializeCapturedObjectAt
  v8::internal::TranslatedState::MaterializeAt
  MaterializeObjectAt
  
Sanitizer: address (ASAN)

Regressed: V8: 45514:45515
Fixed: V8: 45848:45849

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5858264175869952


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot