Regression range points to 4cee9fbc9ff03cb5d18a622e8c86abea007b9d63.

This is a serious security regression. If you are not able to fix this quickly, please revert the change that introduced it.

If this doesn't affect a release branch, or has not been properly classified for severity, please update the Security_Impact or Security_Severity labels, and remove the ReleaseBlock label. To disable this altogether, apply ReleaseBlock-NA.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Fixed by the following revert:

commit e26e6d8857a61d3c7454abbae7ed8dbe97346a23
Author: Jaroslav Sevcik <jarin@chromium.org>
Date:   Wed Aug 23 08:12:32 2017 +0000

    Revert "Reland "[turbofan] Polymorphic inlining - try merge map check dispatch with function call dispatch.""
    
    This reverts commit 4cee9fbc9ff03cb5d18a622e8c86abea007b9d63.
    
    Reason for revert: Breaks on clusterfuzz.
    
    Original change's description:
    > Reland "[turbofan] Polymorphic inlining - try merge map check dispatch with function call dispatch."
    >
    > This reverts commit 57af6811917ca4ed1bce5f4464a989500672a2bd.
    >
    > This adds the checkpoint between the call and the polymorphic load.
    > I thought that JSCall with constant target cannot cause eager deopt,
    > but Canary seems to disagree (http://crbug.com/718019).
    >
    > Bug: v8:5267,chromium:718019
    > Change-Id: I552b850db6beb93e733b371ad0e7204513da1dc4
    > Reviewed-on: https://chromium-review.googlesource.com/622867
    > Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
    > Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
    > Cr-Commit-Position: refs/heads/master@{#47521}
    
    TBR=jarin@chromium.org,tebbi@chromium.org,bmeurer@chromium.org
    
    Change-Id: Ib333883fa27b79fcd766c33997cb0ce46547bb94
    No-Presubmit: true
    No-Tree-Checks: true
    No-Try: true
    Bug: v8:5267, chromium:718019
    Reviewed-on: https://chromium-review.googlesource.com/628076
    Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
    Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#47539}

ClusterFuzz has detected this issue as fixed in range 47538:47539.

Detailed report: https://clusterfuzz.com/testcase?key=5807533909606400

Fuzzer: mbarbella_js_mutation
Job Type: linux_asan_d8
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  Representation inference: unsupported opcode 59 (Dead), node #5 in simplified-lo
  v8::internal::compiler::RepresentationSelector::VisitNode
  v8::internal::compiler::RepresentationSelector::RunTruncationPropagationPhase
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=47520:47521
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8&range=47538:47539

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5807533909606400

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5807533909606400 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/8cf4aafc21d92971f1e8be44f28eae5da6990cf0

commit 8cf4aafc21d92971f1e8be44f28eae5da6990cf0
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Tue Sep 05 07:32:16 2017

[turbofan] Reland^2 "Polymorphic inlining - try merge map check dispatch with function call dispatch."

This reverts commit e26e6d8857a61d3c7454abbae7ed8dbe97346a23.

Bug:  chromium:758096 
Change-Id: I1d8ecda995c93c84a9a3c24da041fdb730dbd3b2
Reviewed-on: https://chromium-review.googlesource.com/628169
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47812}
[modify] https://crrev.com/8cf4aafc21d92971f1e8be44f28eae5da6990cf0/src/compiler/js-inlining-heuristic.cc
[modify] https://crrev.com/8cf4aafc21d92971f1e8be44f28eae5da6990cf0/src/compiler/js-inlining-heuristic.h
[add] https://crrev.com/8cf4aafc21d92971f1e8be44f28eae5da6990cf0/test/mjsunit/compiler/regress-758096.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/ae28e0cff136e7c4fe18c674b0661f32196134fe

commit ae28e0cff136e7c4fe18c674b0661f32196134fe
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Wed Sep 06 11:41:28 2017

Revert "[turbofan] Reland^2 "Polymorphic inlining - try merge map check dispatch with function call dispatch.""

This reverts commit 8cf4aafc21d92971f1e8be44f28eae5da6990cf0.

Reason for revert: Likely crashes Canary.

https://crash.corp.google.com/browse?q=product.name%3D%27Chrome_Mac%27%20AND%20product.version%3D%2763.0.3207.0%27%20AND%20custom_data.ChromeCrashProto.channel%3D%27canary%27%20AND%20custom_data.ChromeCrashProto.ptype%3D%27renderer%27%20AND%20custom_data.ChromeCrashProto.magic_signature_1.name%3D%27v8%3A%3Ainternal%3A%3Acompiler%3A%3AGraphTrimmer%3A%3ATrimGraph%27&sql_dialect=dremelsql&ignore_case=false&enable_rewrite=true&omit_field_name=&omit_field_value=&omit_field_opt=%3D&unnest=

Original change's description:
> [turbofan] Reland^2 "Polymorphic inlining - try merge map check dispatch with function call dispatch."
> 
> This reverts commit e26e6d8857a61d3c7454abbae7ed8dbe97346a23.
> 
> Bug:  chromium:758096 
> Change-Id: I1d8ecda995c93c84a9a3c24da041fdb730dbd3b2
> Reviewed-on: https://chromium-review.googlesource.com/628169
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#47812}

TBR=jarin@chromium.org,tebbi@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug:  chromium:758096 
Change-Id: I96b62d08efa25ac1ead30e08401919d42a20ca1b
Reviewed-on: https://chromium-review.googlesource.com/652370
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47845}
[modify] https://crrev.com/ae28e0cff136e7c4fe18c674b0661f32196134fe/src/compiler/js-inlining-heuristic.cc
[modify] https://crrev.com/ae28e0cff136e7c4fe18c674b0661f32196134fe/src/compiler/js-inlining-heuristic.h
[delete] https://crrev.com/ac2801f1328c616cd5c0e2580dec048337d95981/test/mjsunit/compiler/regress-758096.js

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/5100a009602890d1d22c2a0fc1404d2daff52d14

commit 5100a009602890d1d22c2a0fc1404d2daff52d14
Author: Jaroslav Sevcik <jarin@chromium.org>
Date: Mon Sep 11 04:18:38 2017

[turbofan] Reland^3 "Polymorphic inlining - try merge map check dispatch with function call dispatch."

This reverts commit ae28e0cff136e7c4fe18c674b0661f32196134fe.

Bug:  chromium:758096 
Change-Id: I6541bd1ba46cd5dfb942ed3f3d382e047fb1f3e6
Reviewed-on: https://chromium-review.googlesource.com/657401
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Commit-Queue: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#47934}
[modify] https://crrev.com/5100a009602890d1d22c2a0fc1404d2daff52d14/src/compiler/js-inlining-heuristic.cc
[modify] https://crrev.com/5100a009602890d1d22c2a0fc1404d2daff52d14/src/compiler/js-inlining-heuristic.h
[add] https://crrev.com/5100a009602890d1d22c2a0fc1404d2daff52d14/test/mjsunit/compiler/regress-758096.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot