Automatically applying components based on crash stacktrace and information from OWNERS files.

If this is incorrect, please apply the Test-Predator-Wrong-Components label.

Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/dcd60e8c554690aa884347762132b1e8a27da0fc ([turbofan] Reduce ArrayIteratorNext based on instance type).

If this is incorrect, please remove the owner and apply the Test-Predator-Wrong-CLs label.

I thought this DCHECK seemed suspicious :) Benedikt, is there another control op that can reasonably be expected here (Like Start)?

i guess in this case its Dead, and I didn’t re-add the dead handling from the first patchset. I’ll send a patch tomorrow

It's Dead. Yeah we need to handle that as well, as it can indeed appear depending on the visitation order. Here's a sort of minimized repro:

========================================================================
// Flags: --allow-natives-syntax --expose-gc

var assertSame;
function bar() {
  var o = {
    func(x) {
      return 'func';
    }
  };
  gc();
  function baz() {
    const args = [11];
    try {
      Object.defineProperty(o, o.func(), {get: function() {}});
    } catch (e) {
    }
    for (let i = 0; i < args.length; ++i) {
      try {
        assertSame(args[i]);
      } catch (e) {
      }
    }
  }
  function foo() {
    try { baz(); } catch (e) { }
  }
  foo();
  %OptimizeFunctionOnNextCall(foo);
  foo();
}
bar();
bar();
========================================================================

You might be able to construct a simpler repro yourself.

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/007f90ba9b331e4d3a8186799b098bec9b521b0a

commit 007f90ba9b331e4d3a8186799b098bec9b521b0a
Author: Caitlin Potter <caitp@igalia.com>
Date: Wed Dec 27 22:14:41 2017

[turbofan] handle dead effect-phi control op in InferReceiverMaps

Add an early exit if the control op is Dead to prevent failing the
DCHECK.

BUG= chromium:797596 , v8:5940,  v8:3018 
R=bmeurer@chromium.org, jarin@chromium.org

Change-Id: I6090380ea69c3205740b6c7a41d7c066d18d6a9f
Reviewed-on: https://chromium-review.googlesource.com/844978
Commit-Queue: Caitlin Potter <caitp@igalia.com>
Reviewed-by: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#50312}
[modify] https://crrev.com/007f90ba9b331e4d3a8186799b098bec9b521b0a/src/compiler/node-properties.cc
[add] https://crrev.com/007f90ba9b331e4d3a8186799b098bec9b521b0a/test/mjsunit/compiler/regress-797596.js

ClusterFuzz has detected this issue as fixed in range 50311:50312.

Detailed report: https://clusterfuzz.com/testcase?key=6142269672652800

Fuzzer: ochang_js_fuzzer
Job Type: linux_asan_d8_dbg
Platform Id: linux

Crash Type: DCHECK failure
Crash Address: 
Crash State:
  IrOpcode::kMerge == control->opcode() in node-properties.cc
  v8::internal::compiler::NodeProperties::InferReceiverMaps
  v8::internal::compiler::JSNativeContextSpecialization::InferReceiverMaps
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50283:50284
Fixed: https://clusterfuzz.com/revisions?job=linux_asan_d8_dbg&range=50311:50312

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6142269672652800

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6142269672652800 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot