tebbi: your CL https://chromium.googlesource.com/v8/v8/+/ac0661b358bce7f9af6f23c3e640121f6ca20170 was the only one in the regression blame range here. Can you please take a look?

Setting Security_Impact-None based on the recentness of the CL. If that's not the true culprit CL, we may need to update the Security_Impact label.

Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c899637debff1e05ac40a1e0d50b0da588df645b

commit c899637debff1e05ac40a1e0d50b0da588df645b
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Nov 09 11:00:45 2017

Revert "Reland^5 "[turbofan] eagerly prune None types and deadness from the graph""

This reverts commit ac0661b358bce7f9af6f23c3e640121f6ca20170.

Reason for revert: Clusterfuzz unhappy: chromium:783019 chromium:783035

Original change's description:
> Reland^5 "[turbofan] eagerly prune None types and deadness from the graph"
>
> This gives up on earlier attempts to interpret DeadValue as a signal of
> unreachable code. This does not work because free-floating dead value
> nodes, and even pure branch nodes that use them, can get scheduled so
> early that they get reachable. Instead, we now eagerly remove branches
> that use DeadValue in DeadCodeElimination and replace DeadValue inputs
> to value phi nodes with dummy values.
>
> Reland of https://chromium-review.googlesource.com/715716
>
> Bug: chromium:741225  chromium:776256 
> Change-Id: I251efd507c967d4a8882ad8fd2fd96c4185781fe
> Reviewed-on: https://chromium-review.googlesource.com/727893
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49188}

TBR=jarin@chromium.org,tebbi@chromium.org

Bug: chromium:741225  chromium:776256   chromium:783019   chromium:783035 
Change-Id: I6a8fa3a08ce2824a858ae01817688e63ed1f442e
Reviewed-on: https://chromium-review.googlesource.com/758770
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49262}
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/branch-elimination.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/common-operator.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/common-operator.h
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/dead-code-elimination.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/dead-code-elimination.h
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/instruction-selector.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/instruction-selector.h
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/js-graph.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/js-graph.h
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/memory-optimizer.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/opcodes.h
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/pipeline.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/representation-change.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/typer.cc
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/src/compiler/verifier.cc
[delete] https://crrev.com/d1193e3c6ce24394b60717fd21aa042e4d94ce00/test/mjsunit/compiler/regress-772872.js
[delete] https://crrev.com/d1193e3c6ce24394b60717fd21aa042e4d94ce00/test/mjsunit/compiler/regress-773954.js
[modify] https://crrev.com/c899637debff1e05ac40a1e0d50b0da588df645b/test/unittests/compiler/dead-code-elimination-unittest.cc

ClusterFuzz has detected this issue as fixed in range 49261:49262.

Detailed report: https://clusterfuzz.com/testcase?key=5618259620790272

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  #863:JSCallRuntime should be followed by IfSuccess/IfException, but is only foll
  v8::internal::compiler::Verifier::Visitor::Check
  v8::internal::compiler::Verifier::Run
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49187:49188
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=49261:49262

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=5618259620790272

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 5618259620790272 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/19ac10e58af7768b2e4eb57f460169f11f97fcf1

commit 19ac10e58af7768b2e4eb57f460169f11f97fcf1
Author: Tobias Tebbi <tebbi@chromium.org>
Date: Thu Nov 16 20:01:22 2017

Reland^6 "[turbofan] eagerly prune None types and deadness from the graph"

Reland of https://chromium-review.googlesource.com/c/v8/v8/+/727893
The crashes should be fixed by https://chromium-review.googlesource.com/c/v8/v8/+/763531

Original change's description:
> Revert "Reland^5 "[turbofan] eagerly prune None types and deadness from the graph""
> 
> This reverts commit ac0661b358bce7f9af6f23c3e640121f6ca20170.
> 
> Reason for revert: Clusterfuzz unhappy: chromium:783019 chromium:783035
> 
> Original change's description:
> > Reland^5 "[turbofan] eagerly prune None types and deadness from the graph"
> >
> > This gives up on earlier attempts to interpret DeadValue as a signal of
> > unreachable code. This does not work because free-floating dead value
> > nodes, and even pure branch nodes that use them, can get scheduled so
> > early that they get reachable. Instead, we now eagerly remove branches
> > that use DeadValue in DeadCodeElimination and replace DeadValue inputs
> > to value phi nodes with dummy values.
> >
> > Reland of https://chromium-review.googlesource.com/715716
> >
> > Bug: chromium:741225  chromium:776256 
> > Change-Id: I251efd507c967d4a8882ad8fd2fd96c4185781fe
> > Reviewed-on: https://chromium-review.googlesource.com/727893
> > Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> > Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
> > Cr-Commit-Position: refs/heads/master@{#49188}
> 
> TBR=jarin@chromium.org,tebbi@chromium.org
> 
> Bug: chromium:741225  chromium:776256   chromium:783019   chromium:783035 
> Change-Id: I6a8fa3a08ce2824a858ae01817688e63ed1f442e
> Reviewed-on: https://chromium-review.googlesource.com/758770
> Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
> Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#49262}

TBR=jarin@chromium.org,tebbi@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:741225  chromium:776256   chromium:783019   chromium:783035 
Change-Id: I6c02b4beb02997ec34015ed2f6791a93c70f5e36
Reviewed-on: https://chromium-review.googlesource.com/772150
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49429}
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/branch-elimination.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/common-operator.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/common-operator.h
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/dead-code-elimination.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/dead-code-elimination.h
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/effect-control-linearizer.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/instruction-selector.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/instruction-selector.h
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/js-graph.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/js-graph.h
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/memory-optimizer.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/opcodes.h
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/pipeline.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/representation-change.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/simplified-lowering.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/typer.cc
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/src/compiler/verifier.cc
[add] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/test/mjsunit/compiler/regress-772872.js
[add] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/test/mjsunit/compiler/regress-773954.js
[modify] https://crrev.com/19ac10e58af7768b2e4eb57f460169f11f97fcf1/test/unittests/compiler/dead-code-elimination-unittest.cc

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot