Automatically assigning owner based on suspected regression changelist https://chromium.googlesource.com/v8/v8/+/c85808fe6b0b64ef4f94f92df8e40bfafa9fad17 ([foozzie] Add flag experiment on correctness fuzzer for atomic gc-stress).

If this is incorrect, please let us know why and apply the Test-Predator-Wrong-CLs label. If you aren't the correct owner for this issue, please unassign yourself as soon as possible so it can be re-triaged.

PTAL memory sheriff. This is sensitive to passing --stress-scavenge. Also repros with ignition_turbo. Slow_path is not required.

Reduced the repro:
/usr/local/google/home/machenbach/Downloads/d8-linux-release-v8-component-52003/v8_foozzie.py --random-seed=-411981264  --first-config=ignition --second-config=ignition_turbo /usr/local/google/home/machenbach/v8/v8/repro.js

// Code:
var __v_0 = "construct"
var __v_3 = {};
var __v_4 = false;
function __f_3(b) {
  [,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ...b];
}
__f_3([ 3.3]);
__f_3([]);
var vars = [
  ["__v_0"],
  ["__v_0"],
  ["__v_0"],
  ["__v_1"],
  [undefined],
  ["__v_3"],
  ["__v_4"],
  ["__v_0"],
  ["__v_0"],
  ["__v_0"],
  ["__v_1"],
]
for (var i = 0; i < vars.length; i++) {
  try {
    var v1 = this[vars[i][0]];
    var v2 = 3;
    __f_3(v1);
    __f_3(v1);
    __f_3(v1);
  } catch (e) {
    print("Caught: " + e.message)
  }
}


// Output:
# Compared x64,ignition with x64,ignition_turbo
#
# Flags of x64,ignition:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -411981264 --turbo-filter=~ --noopt --suppress-asm-messages
# Flags of x64,ignition_turbo:
--abort_on_stack_or_string_length_overflow --expose-gc --allow-natives-syntax --invoke-weak-callbacks --omit-quit --es-staging --random-seed -411981264 --suppress-asm-messages --stress-scavenge=100 --random-gc-interval=2000
#
# Difference:
- Caught: Cannot read property 'Symbol(Symbol.iterator)' of undefined
+ Caught: b is not iterable
#
# Source file:
none
#
### Start of configuration x64,ignition:
Caught: b is not iterable
Caught: Cannot read property 'Symbol(Symbol.iterator)' of undefined
Caught: b is not iterable
Caught: b is not iterable
Caught: Cannot read property 'Symbol(Symbol.iterator)' of undefined

### End of configuration x64,ignition
#
### Start of configuration x64,ignition_turbo:
Caught: b is not iterable
Caught: Cannot read property 'Symbol(Symbol.iterator)' of undefined
Caught: b is not iterable
Caught: b is not iterable
Caught: b is not iterable

### End of configuration x64,ignition_turbo

Friendly ping. Who could triage this?

I'll take a look, thx for the ping!

 Issue 837921  has been merged into this issue.

 Issue 839317  has been merged into this issue.

This is harmless insofar as an exception is always thrown, and both exceptions are functionally equivalent. We print "b is not iterable" instead of "Cannot read property 'Symbol(Symbol.iterator)' of undefined" as a convenience feature for developers, because it describes in more understandable terms what the problem is. But we have to check for this every time a "cannot read x from y" TypeError would normally be thrown, and this special-casing was missing from the Runtime::GetObjectProperty path.

Fix: https://chromium-review.googlesource.com/c/v8/v8/+/1042951

Reduced repro:

var __v_1 = new Array();
var __v_2 = 0x30;
var __v_4 = "abc";
var __v_3 = "def";

function __f_2(b) {
  [...b];
}
__f_2([1]);
__f_2([3.3]);
__f_2([{}]);

  var vars = []
  for (name in this) {
    if (name.startsWith("__v_")) {
      vars.push(name);
    }
  }
  vars.sort();

for (var j = 0; j < vars.length && j < 7; j++) {
  for (var k = j; k < vars.length && k < 7 + j; k++) {
    var v1 = this[vars[j]];
    var e1, e2;
    try {
      __f_2(v1);
      __f_2();
    } catch (e) {
      e1 = "" + e;
    }
    gc();
    try {
      __f_2(v1);
      __f_2();
    } catch (e) {
      e2 = "" + e;
    }
    if (e1 !== e2) {
      print("before gc:" + e1);
      print("after gc: " + e2);
    }
  }
}

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/45a2d9c5181e00e05af72b23a79518251289f06f

commit 45a2d9c5181e00e05af72b23a79518251289f06f
Author: Jakob Kummerow <jkummerow@chromium.org>
Date: Thu May 03 23:13:21 2018

Fix "x is not iterable" error message consistency

Since 94ce16b7047, when loading an iterator from null or undefined, we
generate the error message "x is not iterable" instead of the unwieldy
"Cannot read property 'Symbol(Symbol.iterator)' of undefined". However
Runtime::GetObjectProperty, which is used as slow path by LoadICs, did
not check for this case, leading to different messages being generated
depending on IC state.

Bug:  chromium:823130 
Change-Id: Ie98500b97efef401aac9880b9af47d58c3c2825d
Reviewed-on: https://chromium-review.googlesource.com/1042951
Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org>
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#52974}
[modify] https://crrev.com/45a2d9c5181e00e05af72b23a79518251289f06f/src/runtime/runtime-object.cc
[add] https://crrev.com/45a2d9c5181e00e05af72b23a79518251289f06f/test/mjsunit/regress/regress-crbug-823130.js

Btw, the reason this seemed GC-related is because mark-compact clears the stub cache, causing the (megamorphic) IC to take the "miss" path next time, which throws the right message (as opposed to the cached handler, which throws the wrong message).

I don't think we need to backmerge this; there's no crash or security risk, and users probably don't care: the first exception they see is understandable, and only fairly contrived scenarios would care that the same code throws a less readable exception on repeated execution.

Awesome! Thanks for fixing!

ClusterFuzz has detected this issue as fixed in range 52973:52974.

Detailed report: https://clusterfuzz.com/testcase?key=6473115383889920

Fuzzer: foozzie_js_mutation
Job Type: v8_foozzie
Platform Id: linux

Crash Type: V8 correctness failure
Crash Address: 
Crash State:
  configs: x64,ignition:x64,slow_path
  sources: fa5
  
Sanitizer: address (ASAN)

Regressed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=50657:50658
Fixed: https://clusterfuzz.com/revisions?job=v8_foozzie&range=52973:52974

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=6473115383889920

See https://github.com/google/clusterfuzz-tools for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz testcase 6473115383889920 is verified as fixed, so closing issue as verified.

If this is incorrect, please add ClusterFuzz-Wrong label and re-open the issue.